cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3680
Views
10
Helpful
7
Replies

Cisco ESA External Threat Feeds

ccna_security
Level 3
Level 3

Dear all. yesterday I configured External Threat Feed in cisco esa. In order test it I send malicious url from my personal email to corporate email. that email directly send to Outbreak quarantine and approximately 1 hour later that email released from quarantine and forwarded to corporate email along with SUSPICIOUS warning message. Now I have a question. How can I test whether external threat feed works or not? Shouldn't it catch malicious urls sent inside email?

7 Replies 7

Mathew Huynh
Cisco Employee
Cisco Employee
Hey Ccns90,

External threat feeds requires the correct URLs to query as the source.
To verify if the source is returning results for the ETF to work you can verify inside the "threatfeeds" log files.

When an email is sent in and depending on where you deployed your ETF (HAT level, filter/content filters etc) the logs (mail_logs) will return if it was matched under a threat feed.

Sample:
Thu Jun 7 20:48:10 2018 Info: MID 91 Threat feeds source 'S1' detected malicious URL:
'http://digimobil.mobi/' in attachment(s): malurl.txt. Action: Attachment stripped

Thanks,
Mathew

ppreenja
Cisco Employee
Cisco Employee
Hi Ccns90,

I hope the below article and video will be able to help you with the testing part on the External Threat Feeds:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0101001.html

https://www.youtube.com/watch?v=rmnQt6pBrZo <--- (link found on the internet)

Regards,
Pratham

Hi. I did exact same think shown youtube video you sent. It connected to puplic servers successfuly. And i created content filter appropriately. But was not be able to proof that this etf really works. Bad urls got blocked by url filters none of the url got blocked by etf

Hi Ccns90,

We would need to check the config and logs to see what exactly happened or why the ETF feature did not work. I would suggest opening a case with Cisco TAC, we would be happy to check the config and share reason as to why ETF did not work. 

Rgds,

Gagan

Url filters are part of content filters. Just reorder your content filters so that the ETF filter happens first...

@ccna_security  This is my first recommendation as well.

Content filters works off an ordering - ensure you set the URL filtering below ETF and re-do your test to verify results.

If the URL filtering is already taking action then it leaves nothing for the ETF feature.

 

In the event the ordering is done and it's still not matching, then we'll need to look a bit more deeper into it.

 

Thanks @Ken Stieers  for bringing up this point.

 

Regards,

Mathew

Thanks for all of your reply. I reordered content filter(first ETF and then URL filter). I sent malicious url inside email then only url filter catches it not ETF.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: