url feed list on Firesight version 5.4

zaferberber · ‎03-22-2016

Hello,

we have public website address like www.xxx.com/malicious.txt ; this adress contains malicious website urls and i want block this urls.

when i check the object configuration it does not show the option like Security intelligence feed. (i can set website address for bad ip adress list)

palo alto can do this by default. any body know workaround solutions about this problem?

regards

zafer

yogdhanu · ‎03-23-2016

Hi Zafer, Can you please provide more details on what you are trying to accomplish ?

As far as i understand you are trying to block malicious url by creating custom url objects (urls which do not come in any category ).

You can check the url category at this link.

http://www.brightcloud.com/tools/url-ip-lookup.php

If the url you are tying to block falls in any malicious category , you can block it by blocking that category or create custom URL object for that address and block that.

Security intelligence is something else and works based on IP address only.

Let me know if it helps.

Thanks

Yogesh

zaferberber · ‎03-24-2016

Hi Yogesh,

i dont want block category based information come from Cisco.

You can think like this. Malware analyst team found new malware and know which site communicate the from internet based on fqdn not ip adress. They update their url with new malware sites.

this website address multiple urls and updates daily. i dont want create object for each url on Firesight.

i want get url address from this site "www.x.com/badurl.txt" and i block them, thats all

i can do for ip address (Security intelligence) but i can not find for url. i tried search from command line but i couldnt find workaround solution

regards

zafer

yogdhanu · ‎03-24-2016

Hi

I can think of doing that based on category based blocking by blocking only certain categories.

Some of the categories are

>'confirmed spam sources'

>'malware sites'

>'Phishing and other frauds'

>'spam url'

>'spyware and adware'

It might help.

Thanks

Yogesh

bnidacoc · ‎10-17-2017

Zafer, Your inquiry seems rather straightforward. One might think this is possible in the "URL Lists and Feeds" section of Object Management to create such a feed that can be added to an Access Control policy in its Security Intelligence tab and add such feed to the Blacklist.

I have the same question and I thought I'd see if anyone else has even discussed such a matter. In this thread, the Cisco respondent keeps trying to turn the matter into a "category" issue even after you initially respond with "i dont want block category based information come from Cisco". It is unfortunate that this person did not recognize such from each of your posts.

Our Security team often gives us domain names to be blocked. This would involve creating objects, then editing policy rules, then pushing. I was hoping that we could simply configure a "feed" to check their list that they maintain and they could get this done much quicker and have their own 24/7 ability to make their own additions/subtractions to that list. I would like to know if this truly is genuinely possible and operational within Cisco's Firepower system.

Zafer, et al, has anyone setup a custom feed used to unconditionally block certain domain names via "feed" mechanism within firepower?

mikael.lahtela · ‎10-17-2017

Hi,

I think the DNS feed is the closest thing to this at the moment or another way would be to populate url object from REST API.
But that would require upgrade to 6.x.

br, Micke