- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-07-2018 08:46 AM
When adding IP's or URL's to EDL's, I was wondering if adding comments after the token is supported? Either it is a TAB or SPACE or some escape character. Has anyone tried this? I don't see it in any of the documentation.
My use case is adding a ticket number or some other identifying mark to tie the line back to an incident.
08-07-2018 03:02 PM
You can add comments to the list itself. The only requirement is that there is a space after the IP. Here's the documentation talking about syntax requirements for EDL:
The most relevant bit is:
The external dynamic list can include individual IP addresses, subnet
addresses (address/mask), or range of IP addresses. In addition, the
block list can include comments and special characters such as
* , : , ; , #, or /.
The syntax for each line in the list is
[IP address, IP/Mask, or IP start range-IP end range] [space] [comment]
That said, as @BPry eluded to the comment won't show up on the firewall. The comment only exists in the list source, but if it's something you control anyway you can add the comment there.
08-07-2018 08:52 AM
On the firewall you won't be able to do this; as the firewall simply grabs the indicators present in the EDL and adds them to its cache.
If you are looking to add comments that would really be something that you are adding in your EDL host; for example as a comment added to the indicators in MineMeld. The EDL source would then be the 'master' so to speak of the EDL and any modification that needs to be made should be done through the EDL source.
08-07-2018 03:02 PM
You can add comments to the list itself. The only requirement is that there is a space after the IP. Here's the documentation talking about syntax requirements for EDL:
The most relevant bit is:
The external dynamic list can include individual IP addresses, subnet
addresses (address/mask), or range of IP addresses. In addition, the
block list can include comments and special characters such as
* , : , ; , #, or /.
The syntax for each line in the list is
[IP address, IP/Mask, or IP start range-IP end range] [space] [comment]
That said, as @BPry eluded to the comment won't show up on the firewall. The comment only exists in the list source, but if it's something you control anyway you can add the comment there.
08-08-2018 05:17 AM
This is exactly what I was looking for @gwesson. It would be cool if it could pull these comments into the UI, but that is not a requirement. I review the EDL monthly and pull the IP's and URL's into more permanent objects and policies. It also helps determine who added the line with a comment of the user.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!