Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1911
Views
0
Helpful
3
Replies

BLACKLIST DNS request for known malware domain 8800.org

jhonnywblue
Level 1
Level 1

‎07-23-2019 10:10 PM - edited ‎02-21-2020 09:20 AM

Hello,

 

I have configured Firepower Management Center with the 2019-06-30 snort version file. I am trying to generate an alert when I type "nslookup 8800.org" on my laptop. Right now, it is not generating alert for the same. I tried to look for the "BLACKLIST DNS" rules under the IPS policy but I couldn't find any rules related to BLACKLIST DNS. I also tried to edit the Global Blacklist under the Default DNS Policy, but I couldn't make any changes to the list. Whitelist and Blacklist both are greyed out. Upon clicking the refresh icon, I don't see any list or IPs. Do I need any special license for this? I currently have Control and Protection licenses. 

 

Can anyone please help me in putting me to the right direction? 

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-23-2019 10:47 PM

The Global Blacklist for URL is part of the Cisco-provided Security Intelligence feeds.

First check that your feeds are active: Object > Object Management > Security Intelligence > DNS List and Feeds. Verify that the "Cisco-DNS-and_URL-Intelligence-Feed" shows an update (default is every 2 hours).

Then check your Access Control Policy, Security Intelligence tab. Make sure that you have included "Global Blacklist for URL" in the Blacklist section (rightmost column).

 

0 Helpful

jhonnywblue
Level 1
Level 1
In response to Marvin Rhoads

‎07-24-2019 10:59 AM

It looks like my feeds are not active. Our FMC is not connected to the Internet. So, I believe feed update won't be an option for us. But I do see that the feed update is set to "update every 2 hours".

 

I checked the Access Control Policy, Security Intelligence tab  and I do see that it has both White and Black list in the right column. 

 

Another thing is I cannot view the list or feed. Do you know why?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jhonnywblue

‎07-24-2019 11:34 AM

Yes the SI feed update does require Internet connectivity.

You can check the contents of your feeds (fresh or stale :) ) by parsing through the actual files on your FMC. More details here:

https://community.cisco.com/t5/firepower/how-to-get-cisco-security-intelligence-feeds/td-p/3740062

https://www.lammle.com/post/how-to-find-the-list-of-ip-url-and-dns-entries-in-the-cisco-firepower-feed/

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card