10-26-2015 10:19 AM
Hi,
I have certain subnets that are currently not in use in our domain, I wanted to ip-block for 30 minutes all ips that access any of these subnets. Is it possible to creat a threat signature for this?
Thanks,
VIREN
10-26-2015 11:00 AM - edited 10-26-2015 11:00 AM
Good afternoon, Viren!
Given the nature of our custom signature engine, I cannot think of a way to design a signature to accomplish what you are looking for.
However, what you are asking for may be possible with a Zone Protection profile under Reconnaissance Protection.
Please see this article for reference:
Hope this helps!
10-27-2015 06:22 AM
Hi,
Thanks for your suggestion, I will look into that. What I've been trying is to set up strict vulneabilities av virus url profiles with default block and applying them to the policy. I have a request for enhancement to allow for block ip at the group level but in the mean time I've added ip block to some brute force matches to get the desired effect. Waiting to see if this works.
THANKS,
VIREN
10-29-2015 05:17 PM
Viren,
To use custom signatures you need to tirgger on a defined traffic patten based on the contexts you have available for our use when creating a signature. Since you want a honeypot trigger the challenge you would have is what traffic are you going to trigger on? Might I suggest you create a security rule for you honeynet and use a logging profile that can alert you via txt message or email immediately upon being triggered.
Thought I would throw that out for your thoughts.
regards,
Phil
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
