05-30-2013 02:33 AM - edited 03-10-2019 05:58 AM
Dear All,
We're managing two appliances as indicated.
We would like import a "custom" list of banned hosts.
Thank you all in advance.
B. Regards.
Maury
05-31-2013 12:26 PM
By 'banned hosts' do you mean a list of external IP addresses that you want to deny any internal users from connecting to? Or do you mean a list of internal systems that you don't want to allow through the IPS unit?
If its the former: create a custom IPS signature, atomic-ip engine, and create a custom variable that you'll populate with the list of blacklisted external IP addresses. I can explain further if you need; its been a long day/week.
If you're trying to do ban by computer name then that's probably not as easy. Would need to think about that and it might not even be possible.
06-03-2013 01:18 AM
Dear Clausonna,
First of all, thank you for your replay.
Yes, it's the your first translation: external ip addresses tha we don't want allow to access our AS.
More, one of my targets is to bann a TOR host list provided from somewhere, but the occasion is to implement a scalable process that allow Us quickly to add/remove banned hosts based of a list that I would like import to our IPS. The list we are intending is based on IP address only.
I'm following your indication: make a custom signature.
By the GUI, I'm doing a custom sig with engine Atomic-IP. So, my understanding is going to "Specify IP Addrs Option -> Specify Source IP Addresses -> Source IP address " and specify a sort of variable (where I can pass a list of banned ip host I want to block) as you named. At this point, I need some add explanantion how to proceed.
For good understandig, I put a picture of I'm doing.
Waiting your feed-back, thank a lot, so much !.
06-07-2013 06:49 AM
Hi Maurywind
Yes you have this correct. I would suggest creating a different custom IPS signature for each blocklist that you plan on using. So perhaps sigid 60000 is "TOR Blocklist" and sigid 60001 is "SpamHaus DROP blocklist" for example.
If you need any scripts to parse known blacklists into CSV let me know but they are relatively easy to create if you are comfortable with linux bash scripts.
Also note that there is a bug in the IPS 7.0 and 7.1 code for variables - they do not take effect in a signature until the sensor is rebooted. The fix for 7.1 is not due until Fall 2013 - something I find absolutely ridicoulus but that's Cisco IPS for you. If you are running the latest 7.2 train you should be OK.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide