Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Anyone integrating 3rd party threat intelligence/malicious IP feeds into Dynamic Block Lists?

L2 Linker

I'd love to integrate lists of known malicious IPs like those in the links below into dynamic block lists, but I'm worried about overblocking or a bad feed hosing us.  Has anyone used feeds similar to the ones below, either free or paid?  What was your experience?

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

http://malc0de.com/bl/IP_Blacklist.txt

http://panwdbl.appspot.com/lists/openbl.txt

Others: http://panwdbl.appspot.com/

9 REPLIES 9

L2 Linker

In my experience, using dynamic blocklist is a good mechanism since malicious sources frequently change. When it comes to over-blocking, I have actually only run into a couple of times where we ended up blocking an IP address that was actually legitimate. Overall my experience is that they are reliable.

L5 Sessionator

Hi,

If you are looking a list of malicious host and you are ready to pay for that, use pan-db, In the database, exist a category malware which wil protect you against mailicious host.

V.

Good point.  We are already using pan-db.  Just looking for additional ways to help keep out the bad guys.

parmas - Can you say which block lists you've used in production?

L3 Networker

those are ok to test but most of the free ones really are not' comprehensive enough. I've actually had some customer use opendns (paid),  threatstop and others to get dns or other larger type block list.

typically the block list are really useful if an organization has a large threat feed (govt / dod etc..) or an enterprise with a large SOC / security analysis / incident response team  that can actually manage the block list. Otherwise if you don't have the man power than use pan-db malware category(only as good as palo alto's threat feed) along with other threat feeds / security appliance / solutions etc for defense in depth.

L7 Applicator

If you are worried about false positives you can still setup the the black list but set your policy to permit with logging.  Then take a look at the logs and see what would have been dropped before changing the action to deny.

setup external block lists

Working with External Block List (EBL) Formats and Limitations

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks, Steven Puluka .  That will be a little tough in our environment, but should give us at least some insight. 

I wish there were a "log, continue" option that I could just place at the top of the shared pre-rules in Pano.  Once traffic hit that rule, it wouldn't permit or deny, but simply create a log entry and continue down the ruleset.

jkim@copperriverit.com -  Wow, I didn't realize OpenDNS offered a threat feed compatible with Palo's DBLs.  I actually sat in a presentation by the OpenDNS guys at DEFCON this year.  They're doing some amazing work.  Thanks!

I'd love to integrate lists of known malicious IPs too.

Anyone is using a powershell script to automatice the deploy?

I´m trying to use the "Invoke-Webrequest" cmdlet to insert the IP address from the .txt file into a dynamic address group:

Invoke-WebRequest "$HostPA/api/?typetype=user-id&action=set&cmd=<uid-message><version>2.0</version><type>update</type><payload><register><entry ip="$ip"><tag><member>blacklist</member></tag></entry></register></payload> </uid-message>&key=$apikey"

I´d like to integrate the malicious IP address from panwdbl

Thanks in advance

Best Regards

L2 Linker

Something we've run into with numerous customers using indeni to watch their PANW's:

They set up a dynamic block list, but then don't notice when the fetching of that list fails. It's basically a job that fails with the message "Unable to fetch external list. Using old copy for refresh." (see What Happens if the Server Configured for Dynamic Block Lists Becomes Unreachable?)

So keep your eye out for that.

VP of R&D at indeni
  • 8948 Views
  • 9 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!