topic Re: How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning? in General Topics

How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

SOC_CSG — Thu, 03 Sep 2015 09:24:26 GMT

Hello,

This would be possible to implement?
Configure my firewall to make a action for 'automatic blocking an IP for an hour' in a vulnerability scanning.

Objects -> Custom Objects -> Vulnerability

Example: IP auto-block attacker for 1 hour, if 10 times in 10 seconds Any Scan Vulnerability Bash.

I want "OR" condition.

Here. addition to "IP address exemptions" should also have an option of "exemptions region".

Last weekend we suffered a scan vulnerability Bash from different origins (countries). Do you think that might work?

If this worked well It could be a good method to persuade an attacker.

Regards

dicu

Re: How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

BenjAudy.MTL — Wed, 02 Sep 2015 18:21:53 GMT

Hi COS,

Your screenshots are very small, I can't see any detail. What is in the OR condition? Is there a reason why you did not simply change the timer in the existing Bash remote code execution vulnerabilities? Did you really need a brute-force style vulnerability?

Benjamin

Re: How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

Bradley_Melton — Thu, 03 Sep 2015 12:13:33 GMT

~~baudy,~~

~~The small screeshot size is due to the forum automatically resizing the images...~~
~~Here are links to the full size versions:~~

https://live.paloaltonetworks.com/t5/image/serverpage/image-id/182i9469721019583E85
https://live.paloaltonetworks.com/t5/image/serverpage/image-id/183iFE1264D72159DFB2
https://live.paloaltonetworks.com/t5/image/serverpage/image-id/184iDA76937EF6AAE73C
https://live.paloaltonetworks.com/t5/image/serverpage/image-id/181i461B7CCB2827410D

EDIT: COS has fixed the images in the original post.

Re: How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

Lucky — Wed, 02 Sep 2015 20:06:36 GMT

Hi Bradley,

you have "and" condition, you wanted "or", that is the left out of two buttons circled in red square, they should all end up under a single "And condition 1".... as in:

Also, direction should not be both, it is client2server, right? Server will not attack someone 🙂

Besides all this, you will need to include this newly created vulnerability into your existing profile that applies to the security policy protecting this communication, I hope you didn't forget that part of the config 🙂

Regards

Re: How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

SOC_CSG — Fri, 04 Sep 2015 10:31:53 GMT

Hello

I have two questions about this:
How can I verify that the firewall are blocking the attacking IP?

.. I imagine in the logs (threat). 😉
How can I check the time (timer) that carries a specific IP blocked?

Regards,

dicu

Re: How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

BenjAudy.MTL — Fri, 04 Sep 2015 17:43:27 GMT

Hi,

You will see an entry in the threat logs with the action "block-ip". To see the list of currently blocked IPs, use the following command in the CLI:

debug dataplane show dos block-table

If you want to remove an IP address from the block list before the timer goes down to 0 :

clear dos-protection zone <sourcezone> blocked source <ip-addr>

Benjamin

Re: How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

SOC_CSG — Thu, 10 Sep 2015 08:16:18 GMT

Hello

Interesting commands.
Command quite helpful in unlocking an IP (false positive). I would also add the IP to the list of excluded. because otherwise it is likely that the IPS block again if detects a threat.

Thank you very much everybody.

dicu 😉