Solved: Exactly what I was looking

Vincent Fortrat · ‎10-08-2015

Hello everyone,

I recently deployed SFR module on ASA 5512-X and I am facing the following issue : One website that is used on a daily basis is blocked since we deployed FirePower services. Actually, it's been categorized as "Malware Site" with a bad reputation "High Risk".

I added this URL to a white list so it can be reached but the customer asks to gather some information on why it's been categorized like this. My question is : is there a Sourcefire or Cisco tool where we can see the history of a particular domain or IP address ?

I checked on senderbase.org but there is no information like this and I know Sourcefire doesn't use SenderBase anyway.

My guess is maybe this website has been hacked in the past and is delivering malware since.

Thanks in advance,

Vincent

alberx · ‎10-08-2015

I think Sourcefire uses brightcloud as a web reputation. Check how categorized is website you are accessing.

http://www.brightcloud.com/tools/change-request-url-ip.php

View solution in original post

alberx · ‎10-08-2015

I think Sourcefire uses brightcloud as a web reputation. Check how categorized is website you are accessing.

http://www.brightcloud.com/tools/change-request-url-ip.php

Vincent Fortrat · ‎10-08-2015

Exactly what I was looking for ! Thanks !

Do you know if FirePower will use Cisco Security Intelligence in the future instead of Brightcloud ?

alberx · ‎10-08-2015

I don´t know any about SourceFire roadmaps. Sorry.

Security information on IP address or URL in Sourcefire