topic Re: Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists? in General Topics

Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

RyanF — Wed, 17 Dec 2014 01:08:22 GMT

I'd love to integrate lists of known malicious IPs like those in the links below into dynamic block lists, but I'm worried about overblocking or a bad feed hosing us. Has anyone used feeds similar to the ones below, either free or paid? What was your experience?

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

http://malc0de.com/bl/IP_Blacklist.txt

http://panwdbl.appspot.com/lists/openbl.txt

Others: http://panwdbl.appspot.com/

Re: Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

parmas — Wed, 17 Dec 2014 04:32:46 GMT

In my experience, using dynamic blocklist is a good mechanism since malicious sources frequently change. When it comes to over-blocking, I have actually only run into a couple of times where we ended up blocking an IP address that was actually legitimate. Overall my experience is that they are reliable.

Re: Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

VinceM — Wed, 17 Dec 2014 15:44:36 GMT

Hi,

If you are looking a list of malicious host and you are ready to pay for that, use pan-db, In the database, exist a category malware which wil protect you against mailicious host.

Re: Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

RyanF — Wed, 17 Dec 2014 15:55:46 GMT

Good point. We are already using pan-db. Just looking for additional ways to help keep out the bad guys.

Re: Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

RyanF — Wed, 17 Dec 2014 15:57:36 GMT

parmas - Can you say which block lists you've used in production?

Re: Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

jkim2 — Fri, 19 Dec 2014 04:55:46 GMT

those are ok to test but most of the free ones really are not' comprehensive enough. I've actually had some customer use opendns (paid), threatstop and others to get dns or other larger type block list.

typically the block list are really useful if an organization has a large threat feed (govt / dod etc..) or an enterprise with a large SOC / security analysis / incident response team that can actually manage the block list. Otherwise if you don't have the man power than use pan-db malware category(only as good as palo alto's threat feed) along with other threat feeds / security appliance / solutions etc for defense in depth.

Re: Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

pulukas — Sat, 20 Dec 2014 14:12:31 GMT

If you are worried about false positives you can still setup the the black list but set your policy to permit with logging. Then take a look at the logs and see what would have been dropped before changing the action to deny.

setup external block lists

Working with External Block List (EBL) Formats and Limitations

Re: Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

RyanF — Tue, 23 Dec 2014 05:14:21 GMT

Thanks, Steven Puluka . That will be a little tough in our environment, but should give us at least some insight.

I wish there were a "log, continue" option that I could just place at the top of the shared pre-rules in Pano. Once traffic hit that rule, it wouldn't permit or deny, but simply create a log entry and continue down the ruleset.

jkim@copperriverit.com - Wow, I didn't realize OpenDNS offered a threat feed compatible with Palo's DBLs. I actually sat in a presentation by the OpenDNS guys at DEFCON this year. They're doing some amazing work. Thanks!

Re: Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

Alejandro_Aliaga — Tue, 07 Jul 2015 11:18:04 GMT

I'd love to integrate lists of known malicious IPs too.

Anyone is using a powershell script to automatice the deploy?

I´m trying to use the "Invoke-Webrequest" cmdlet to insert the IP address from the .txt file into a dynamic address group:

Invoke-WebRequest "$HostPA/api/?typetype=user-id&action=set&cmd=<uid-message><version>2.0</version><type>update</type><payload><register><entry ip="$ip"><tag><member>blacklist</member></tag></entry></register></payload> </uid-message>&key=$apikey"

I´d like to integrate the malicious IP address from panwdbl

Thanks in advance

Best Regards

Re: Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

yarinbenado — Thu, 09 Jul 2015 16:57:48 GMT

Something we've run into with numerous customers using indeni to watch their PANW's:

They set up a dynamic block list, but then don't notice when the fetching of that list fails. It's basically a job that fails with the message "Unable to fetch external list. Using old copy for refresh." (see What Happens if the Server Configured for Dynamic Block Lists Becomes Unreachable?)

So keep your eye out for that.