topic Re: predefined IP address feeds are too small in Advanced Threat Prevention Discussions

predefined IP address feeds are too small

vladimir.stepanov — Tue, 02 Jul 2019 10:01:50 GMT

Hello,

I am checking the content of two predefined dynamic IP lists for high risky IP addresses and known malicious IP addresses and they are too small, just 613 addresses in total.

There is a document https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/content-inspection-features/palo-alto-networks-malicious-ip-address-feeds

and there we can find that at the time of writing there were 2969 IP addresses only in high risky list.

So the question, if it can be some problem with feed updates on our appliances or it is the actual size of these lists.

Regards,

Vladimir

Re: predefined IP address feeds are too small

BatD — Tue, 02 Jul 2019 10:15:39 GMT

@vladimir.stepanov There is nothing wrong with your appliance, they are around 600 now. The list is updated regularly with the anti-virus updates and the numbers can change when new IPs are added or removed.

Re: predefined IP address feeds are too small

vladimir.stepanov — Tue, 02 Jul 2019 10:27:12 GMT

But why it is like this, was there any announce or answer from paloalto? It is clear that 600 Ip addresses are nothing, also, before they had 10 times bigger list. So what, have paloalto failed with this feature and cannot support it anymore?

Re: predefined IP address feeds are too small

BatD — Tue, 02 Jul 2019 10:32:25 GMT

@vladimir.stepanov You should not rely too much on the pre-defined lists. They have never been a comprehensive security feed, but just a small addition to all the other firewall security features and profiles.

Re: predefined IP address feeds are too small

vladimir.stepanov — Tue, 02 Jul 2019 10:54:33 GMT

yes, I understand that I cannot rely on them since paloalto doesn't maintain it. But the question is what to use instead to block traffic from well-known malicious IP addresses. Ok, I mean well-known to other companies, not to paloalto, since their feeds are empty 🙂

Re: predefined IP address feeds are too small

OtakarKlier — Tue, 02 Jul 2019 19:17:11 GMT

Hello,

If you want to have other EBL's check these out:

Source on PAN support:

https://live.paloaltonetworks.com/message/54183#54183

Sans notes on this:

https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall/19365/

Others listed on this site:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

http://malc0de.com/bl/IP_Blacklist.txt

http://panwdbl.appspot.com/lists/openbl.txt

However remember that IP's change frequently and a proper security poster also takes DNS and URL filtering into consideration.

Regards,

Re: predefined IP address feeds are too small

Chacko42 — Wed, 17 Jul 2019 13:11:47 GMT

@vladimir.stepanov: If you need more customized feeds, you can buy a subscription for Autofocus and generate a dynamic feed for your invididual needs. Blocking too many targets is dangerous - you have to keep in mind, that these lists are valid for all global PAN customers.

Re: predefined IP address feeds are too small

CrashDog — Thu, 08 Oct 2020 10:21:26 GMT

@Chacko42 wrote: MyAARPMedicare
@vladimir.stepanov: If you need more customized feeds, you can buy a subscription for Autofocus and generate a dynamic feed for your invididual needs. Blocking too many targets is dangerous - you have to keep in mind, that these lists are valid for all global PAN customers.

I understand that I cannot rely on them since paloalto doesn't maintain it. But the question is what to use instead to block traffic from well-known malicious IP addresses.

Re: predefined IP address feeds are too small

Chacko42 — Fri, 09 Oct 2020 06:54:32 GMT

You can also setup a minemeld server and import preexisting feeds from other malware intelligence.

e.g. urlhaus, spamhouse and so on got public feeds for known spammers and so on.

There is a own area in the live-community for all minemeld related topics