Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
5
Helpful
3
Replies

IPS 4550 how import banned hosts list

Maurizio_C
Level 1
Level 1

‎05-30-2013 02:33 AM - edited ‎03-10-2019 05:58 AM

Dear All,

We're managing two appliances as indicated.

We would like import a "custom" list of banned hosts.

  • Does IPS appliance have this capability ?.
    • If Yes, someone can give me some information how to accomplish it ?

    Thank you all in advance.

    B. Regards.

    Maury

    Labels:
    0 Helpful
    3 Replies 3

    clausonna
    Level 3
    Level 3

    ‎05-31-2013 12:26 PM

    By 'banned hosts' do you mean a list of external IP addresses that you want to deny any internal users from connecting to?  Or do you mean a list of internal systems that you don't want to allow through the IPS unit?

    If its the former:  create a custom IPS signature, atomic-ip engine, and create a custom variable that you'll populate with the list of blacklisted external IP addresses.  I can explain further if you need; its been a long day/week. 

    If you're trying to do ban by computer name then that's probably not as easy.  Would need to think about that and it might not even be possible.

    Maurizio_C
    Level 1
    Level 1
    In response to clausonna

    ‎06-03-2013 01:18 AM

    Dear Clausonna,

    First of all, thank you for your replay.

    Yes, it's the your first translation: external ip addresses tha we don't want allow to access our AS.

    More, one of my targets is to bann a TOR host list provided from somewhere, but the occasion is to implement a scalable process that allow Us quickly to add/remove banned hosts based of a list that I would like import to our IPS. The list we are intending is based on IP address only.

    I'm following your indication: make a custom signature.

    By the GUI, I'm doing a custom sig with engine Atomic-IP. So, my understanding is going to "Specify IP Addrs Option -> Specify Source IP Addresses -> Source IP address " and specify a sort of variable (where I can pass a list of banned ip host I want to block) as you named. At this point, I need some add explanantion how to proceed.

    For good understandig, I put a picture of I'm doing.

    Waiting your feed-back, thank a lot, so much !.

    0 Helpful

    clausonna
    Level 3
    Level 3
    In response to Maurizio_C

    ‎06-07-2013 06:49 AM

    Hi Maurywind

    Yes you have this correct.  I would suggest creating a different custom IPS signature for each blocklist that you plan on using.  So perhaps sigid 60000 is "TOR Blocklist" and sigid 60001 is "SpamHaus DROP blocklist" for example.

    If you need any scripts to parse known blacklists into CSV let me know but they are relatively easy to create if you are comfortable with linux bash scripts.

    Also note that there is a bug in the IPS 7.0 and 7.1 code for variables - they do not take effect in a signature until the sensor is rebooted.  The fix for 7.1 is not due until Fall 2013 - something I find absolutely ridicoulus but that's Cisco IPS for you.  If you are running the latest 7.2 train you should be OK.

    0 Helpful
    Customers Also Viewed These Support Documents
    Review Cisco Networking products for a $25 gift card