topic Would you please be so kind in Network Security

Spam feed in Security Intelligence

tpospisil — Tue, 12 Mar 2019 13:03:01 GMT

I use firepower v.5.4.1 on ASA 5516. I see huge amout of malware comming via mail (smtp connection). Almost every malware detection is only retrospective. It means malware reached customer mail servers and maybe users mail-boxes too. IP addresses of senders of malware messages (.zip files) are all listed as spam senders in senderbase.org or other anti-spam lists.

Firepower Security Intelligence has feed and one of the category is Spam. But there is only 32k of ip addresses. I see some match and block on this list, but majority of malware from spam IP senders passed and is detected only hours or days later by retrospective.

Could somebody suggest me reliable spam list (list of spammers IP addresses) which can be used as 3rd party list and can be downloaded as custom list? Or event better: is there any feed (not only static list) which can be used as Firepower Security Intelligence object?

Hi,

ankojha — Fri, 01 Jul 2016 10:08:25 GMT

Hi,

As of now, we just have the static list in security intelligence but if you are observing

some spam ip's being bypassed, you can open a TAC case so that we can investigate it further

and have the feed updated on our end.

Rate if it helps.

Thanks,

Ankita

Would you please be so kind

Dusan Vuckovic — Tue, 05 Jul 2016 16:23:25 GMT

Would you please be so kind to elaborate (for a Snort newbie) where do you check all of that stuff . I'm also interested in what happens with spam and if there is something we can do about it .

Much appreciated. Thank you

Hi,

ankojha — Wed, 06 Jul 2016 07:31:55 GMT

Hi,

You can check the spam static list under /var/sf/si_urldownload and if you do

cat of the uuid , you will see the list of url or ip's in the list.

You can follow the document to have better understanding :

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AC-Events.html

Rate if it helps.

Thanks,

Ankita

Thank you . Much appreciated.

Dusan Vuckovic — Wed, 06 Jul 2016 14:24:51 GMT

Thank you . Much appreciated.

Static list is not a problem.

tpospisil — Wed, 13 Jul 2016 07:19:43 GMT

Static list is not a problem. But it's poor content. Cisco owns intelligence sources (senderbase.org, ironport's source ....), but on firepower spam list is like a joke. Firepower services get passed hundreds of malware files (as it later marks as retrospective) and all of IPaddr of senders is listed on senderbase.org with poor mail reputation.

This is big confusion for customer: every morning opens firepower console and get list of passed malware, received from known malware senders.

I have good experience with

Ed Padilla Jr — Fri, 15 Jul 2016 18:12:35 GMT

I have good experience with the Security Intel feeds. In addition, i added the Cisco Talos, feed, too. In addition, we have our own internal Security Analysts intel feed. No issues, so far. Good metrics and reporting.

Could you be more specific,

tpospisil — Mon, 18 Jul 2016 06:07:28 GMT

Could you be more specific, please? Where I can find theese feeds and how can I use it in Firepower.

Hello ,

Jetsy Mathew — Mon, 18 Jul 2016 06:18:02 GMT

Hello ,

In order to update the Security Intelligence Feed, choose Objects > Object Management. Choose the Security Intelligence option from the left panel, and click Update Feeds. If you want to update your custom feed or you want to create a custom list, click Add Security Intelligence.

Rate if this post helps you

Regards

Jetsy

As I wrote in my opening post

tpospisil — Mon, 18 Jul 2016 06:23:52 GMT

As I wrote in my opening post, I use this buit-in feed. But these are poor. Because I receive tens of malware file per day. From IP addresses, which are known to Cisco (senderbase.org) as malware senders, but not included in built-in feeds. I am looking for third party feed to include to firepower which will contain IP's from senderbase.org (or similar) database.