2 Replies Latest reply on Apr 14, 2017 9:13 AM by jblowerytc

    Threat intelligence feed logs

    ttl

      We have a rule set up to use the TIF thusly:

       

       

        We're getting alerts from Bad Folks™ trying to hit our outside IP, but that's happening all the time -- a good portion of the reason one doesn't put an IPS outside of the firewall. Does anyone have any good Use Case examples for the TIF? We're looking at crafting a rule that alerts us if any internal systems go to a TIF destination, but otherwise... ?

        • Re: Threat intelligence feed logs
          nicole pauls
          • definitely any firewall egress filter/outbound traffic to a "bad IP"
          • any other mechanisms you have to detect internal communication sources to a "bad IP" - router ACLs, IDS, local firewalls, authentication traffic, etc
          • excessive traffic from a number of "bad IPs" might be a more targeted attack (or denial of service)

           

          Many of the IPs in the lists are botnets, so for those you're primarily going to find value (or scary things, depending on how you look at it) in rules that look for internal-to-external communication (workstations, servers) outbound to any of those hosts. Inbound traffic from them is interesting in a probing/Denial of Service/targeted attack way, so you might set them to decent thresholds.

          1 of 1 people found this helpful
            • Re: Threat intelligence feed logs
              jblowerytc

              If you have to have any open ports or static NAT's, etc. inbound to a server or app, a rule to alert you when known threats are detected coming to that particular IP and perhaps actions to auto-block those external offenders could seriously hinder the attacker. This could be another layer of defense to protect your Internet facing nodes or nodes that shouldn't be doing anything questionable at all with the Internet, such as your servers that rarely browse the web or any credit card subnets, etc.