01-17-2016 05:15 PM - edited 03-10-2019 06:32 AM
I was curious if there is a section in firesight where it could be programmed to block hosts like the CISCO IPS host blocks section? Kind of like the list of hosts blocked for triggering signatures. Trying to translate this into the new product.
Also, event action filters. A possibility could be a trust rule in the access control policy correct?
Solved! Go to Solution.
01-17-2016 05:42 PM
Hi there
The Access control policy has a security intelligence tab which allows you to block connections to/from any IP address that you put in the Blacklist. You could also simply log instead of blocking by enabling logging and changing the drop to a monitor action.
The security intelligence is configurable per access control policy.
Under Object Management, in the SI section, you can also import .txt based file containing IP addresses or create a SI feed to a server where the .txt file is hosted.
A Trust rule action implies that you will perform no inspection to traffic matching your rule conditions.
Hope this helps
Paul
01-17-2016 05:42 PM
Hi there
The Access control policy has a security intelligence tab which allows you to block connections to/from any IP address that you put in the Blacklist. You could also simply log instead of blocking by enabling logging and changing the drop to a monitor action.
The security intelligence is configurable per access control policy.
Under Object Management, in the SI section, you can also import .txt based file containing IP addresses or create a SI feed to a server where the .txt file is hosted.
A Trust rule action implies that you will perform no inspection to traffic matching your rule conditions.
Hope this helps
Paul
01-17-2016 09:11 PM
Thank you Paul, So basically if a host is hammering away with sql injection it will block if and only if it matches the signature. Beings I have it setup that way. If a host starts attacking with sql injection with the cisco ips 7.0 it will place the source IP that were triggering rules into a blocked host list to block all traffic from the host. Its just not a feature in sf i suppose.
01-18-2016 04:59 AM
Hi, another option is once you see the event (connection, intrusion, malware, etc.), you can right click the attacking IP address and select Blacklist. This will add the IP into the Global Blacklist object which is in every Access control policy by default. You will not need to re-apply the ACP as it updates this change automatically.
Paul
12-24-2018 12:59 AM
Ciao,
all it's right but is there possibility to do it in automatically way so if a signature is matched the source o destination are blocked (or blocked for the next X seconds..).
Thanks
12-24-2018 06:22 AM
12-24-2018 12:09 PM
Ciao,
It's not exactly what I meat. Like a previous shun module I'd like to block an attacker for a specific amount of time after the a signature had trigged and not just change a signature action after matching.
The case could be a brute force attack attempt, where in case of signature match I'd like to block every connection coming from the attacker's IP address.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide