topic Re: Proofpoint and other inbound blocklists in General Topics

Proofpoint and other inbound blocklists

networkadmin — Wed, 03 Aug 2016 19:24:13 GMT

I've been experimenting with MineMeld and have to say I love it so far.

I was browsing the list of feeds and looked at the ProofPoint ET Pro feed and I wondered if anyone knows how this feed works?

I got pricing and it's quite reasonable, but I'm not 100% clear how it integrates and can be integrated with Palo Alto, does anyone know?

Be interested in any views on the most effective inbound blocklists?

Re: Proofpoint and other inbound blocklists

Greg_R — Wed, 03 Aug 2016 19:50:55 GMT

I have added a couple of custom Proofpoint feeds that are free and keep forgetting to send them to Luigi to integrate into the product. I can't speak for what might be different between the free and paid versions.

url: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
description: > Emerging Threats Compromised List

url: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
description: > Emerging Threats FW Block List

Re: Proofpoint and other inbound blocklists

lmori — Wed, 03 Aug 2016 19:55:18 GMT

Hi networkadmin,

currently (0.9.18) there are 2 feeds provided by ProofPoint ET:

ET Domains, providing a list of domain indicators
ET IPs, providing a list of IP indicators

Each of them is covered by a prototype, proofpoint.EmergingThreatsDomains and proofpoint.EmergingThreatsIPs.

Inside the feeds, each indicator (IP or domain) has associated a list of categories.

When you create a Miner based on one of the ProofPoint prototypes:

you can specify the Auth Code provided by ProofPoint and the list of categories you are interested in:

You can create multiple Miners, and each of them can have different categories. This way you can have different feeds for inbound and outbound IP addresses.

ProofPoint can easily provide best practices about using their feeds for blocking or preventing attacks.

Please, let me know if you need additional details.

Re: Proofpoint and other inbound blocklists

lmori — Wed, 03 Aug 2016 19:57:03 GMT

Hi Greg,

I will make sure to add them in the next release.

Thanks !

luigi

Re: Proofpoint and other inbound blocklists

networkadmin — Thu, 04 Aug 2016 06:46:28 GMT

Thanks, one concern/query I do have is how people are using minemeld given there seems to be total of 50,000 entries maximum across all EBLs?

I don't know the count on the ProofPoint feed for example but I could imagine things being quite large.

Also (and I'm hoping to speak to ProofPoint) does anyone know if there is masses more on their commercial feed than the open source one?

I ask as I believe the ET Pro subscription inclues a ton of suricata/snort rules which we cannot use with our PAN, so essentially the only piece we'd be using is the EBL content via minemeld.

Thanks

Re: Proofpoint and other inbound blocklists

lmori — Thu, 04 Aug 2016 14:24:42 GMT

Hi networkadmin,

the ProofPoint ET Intelligence delivers feeds with much more context than what available in the Open Source. Let me know if you need a contact in PP, I'd be happy to help.

There are 2 things you can do to cope with the EDL max number of entries:

- you can limit the number of entries download from the MM feed attaching the 'n' parameter in the URL. Example, if the feed is published as https://<minemeld>/feeds/IPfeed, you can download only 10000 elements by using https://<minemeld>/feeds/IPFeed?n=10000

- by default MineMeld output feed are sorted using the "most recent" criteria. This means that when you download the first 10000 elements, you are downloading the 10000 most recent elements added to the feed. Sorting attribute can be changed by changing the prototype of the feed.

Please note that starting from 7.1, you have a max of 50000 (150000 on PA5K and PA7K) IPs in EDL and a max 50000 for URLs+Domains. Ref: https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Videos/PAN-OS-7-1-URL-Filtering-Dynamic-Block-List-External-Block-List/ta-p/74098

Hope this helps.

Luigi

Re: Proofpoint and other inbound blocklists

jacobcavaness — Tue, 01 Aug 2023 18:01:47 GMT

Hi Lmori,

Has there been any change to being able to use ET Pro? Improvements?

We are switching over to PaloAlto Firewalls and am trying to find out if we can use ET Pro with them since we have valid license currently.

Thanks,

Jacob