cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1029
Views
0
Helpful
0
Replies

FTD lab - Security intelligence testing failures

Hey everyone,

I'm running into some issues with my testing and I'm hoping someone can assist me with this as I'm a little lost.

First problem I've come across. 

I'm browsing the security intelligence feed that's in var/sf/iprep_download/Sourcefire_intelligence_feed and I've been initiating some telnet sessions to those addresses using port 80. For some random addresses I've been able to initiate a connection via telnet or port 80. Any idea why, I thought this was a list of blocked addresses?

The second problem I have is that I'm able to run a tor browser without any issues, even though I have security intelligence enabled and tor_exit_nodes should be blocked. The strange thing is, I'm not seeing any connection events at all when I use a tor browser. I've run a packet capture to obtain the exit node I'm using, and I can see it's in a publicly shared exit node list.

I also tried setting up a rule that explicitly blocks TOR, TOR exit nodes and it's still not working.

Any ideas what I'm doing wrong? I've attached some screenshots to assist with this.

Thank you

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: