Solved: Re: Hi, another option is once

babiojd01 · ‎01-17-2016

I was curious if there is a section in firesight where it could be programmed to block hosts like the CISCO IPS host blocks section? Kind of like the list of hosts blocked for triggering signatures. Trying to translate this into the new product.

Also, event action filters. A possibility could be a trust rule in the access control policy correct?

pazzi · ‎01-17-2016

Hi there

The Access control policy has a security intelligence tab which allows you to block connections to/from any IP address that you put in the Blacklist. You could also simply log instead of blocking by enabling logging and changing the drop to a monitor action.

The security intelligence is configurable per access control policy.

Under Object Management, in the SI section, you can also import .txt based file containing IP addresses or create a SI feed to a server where the .txt file is hosted.

A Trust rule action implies that you will perform no inspection to traffic matching your rule conditions.

Hope this helps

Paul

View solution in original post

pazzi · ‎01-17-2016

Hi there

The Access control policy has a security intelligence tab which allows you to block connections to/from any IP address that you put in the Blacklist. You could also simply log instead of blocking by enabling logging and changing the drop to a monitor action.

The security intelligence is configurable per access control policy.

Under Object Management, in the SI section, you can also import .txt based file containing IP addresses or create a SI feed to a server where the .txt file is hosted.

A Trust rule action implies that you will perform no inspection to traffic matching your rule conditions.

Hope this helps

Paul

babiojd01 · ‎01-17-2016

Thank you Paul, So basically if a host is hammering away with sql injection it will block if and only if it matches the signature. Beings I have it setup that way. If a host starts attacking with sql injection with the cisco ips 7.0 it will place the source IP that were triggering rules into a blocked host list to block all traffic from the host. Its just not a feature in sf i suppose.

pazzi · ‎01-18-2016

Hi, another option is once you see the event (connection, intrusion, malware, etc.), you can right click the attacking IP address and select Blacklist. This will add the IP into the Global Blacklist object which is in every Access control policy by default. You will not need to re-apply the ACP as it updates this change automatically.

Paul

ipagliani · ‎12-24-2018

Ciao,

all it's right but is there possibility to do it in automatically way so if a signature is matched the source o destination are blocked (or blocked for the next X seconds..).

Thanks

phil.hydea · ‎12-24-2018

Ciao

Yes, you can configure the intrusion rules with a 'Dynamic State'.

Within the Intrusion policy, select the desired rule and click Dynamic
State > Add Rate-based Rule State. The timeout value (based on seconds) can
be specified - this is the duration of the action you wish to set.

If you wish to set this as a flat rule so it kicks in straight away, set
the rate as 1 count/1 second and set to track by rule.

Hope this helps.

Kind regards
Phil

ipagliani · ‎12-24-2018

Ciao,

It's not exactly what I meat. Like a previous shun module I'd like to block an attacker for a specific amount of time after the a signature had trigged and not just change a signature action after matching.

The case could be a brute force attack attempt, where in case of signature match I'd like to block every connection coming from the attacker's IP address.

Thanks

Blocking hosts using Firesight and firepower