This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

Go to solution
SOC_CSG
L4 Transporter

‎09-02-2015 09:23 AM - edited ‎09-03-2015 02:24 AM

Hello,

This would be possible to implement?
Configure my firewall to make a action for 'automatic blocking an IP for an hour' in a vulnerability scanning.

Objects -> Custom Objects -> Vulnerability

Example: IP auto-block attacker for 1 hour, if 10 times in 10 seconds Any Scan Vulnerability Bash.

Imagen 1.jpg

I want "OR" condition.

Imagen 02.jpg

 

Imagen 15.jpg

Imagen 16.jpg

 

Here. addition to "IP address exemptions" should also have an option of "exemptions region".

Imagen 17.jpg

Last weekend we suffered a scan vulnerability Bash from different origins (countries). Do you think that might work?

 

If this worked well It could be a good method to persuade an attacker.

Regards

dicu

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
Lucky
L5 Sessionator
In response to Bradley_Melton

‎09-02-2015 01:02 PM - edited ‎09-02-2015 01:06 PM

Hi Bradley,

 

you have "and" condition, you wanted "or", that is the left out of two buttons circled in red square, they should all end up under a single "And condition 1".... as in:

rules.png

 

Also, direction should not be both, it is client2server, right? Server will not attack someone 🙂

Besides all this, you will need to include this newly created vulnerability into your existing profile that applies to the security policy protecting this communication, I hope you didn't forget that part of the config 🙂

 

Regards

View solution in original post

0 Likes Likes

Go to solution
BenjAudy.MTL
L4 Transporter
In response to SOC_CSG

‎09-04-2015 10:43 AM

Hi,

 

You will see an entry in the threat logs with the action "block-ip". To see the list of currently blocked IPs, use the following command in the CLI:

 

debug dataplane show dos block-table

 

If you want to remove an IP address from the block list before the timer goes down to 0 :

 

clear dos-protection zone <sourcezone> blocked source <ip-addr>

 

Benjamin

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
BenjAudy.MTL
L4 Transporter

‎09-02-2015 11:21 AM

Hi COS,

 

Your screenshots are very small, I can't see any detail. What is in the OR condition? Is there a reason why you did not simply change the timer in the existing Bash remote code execution vulnerabilities? Did you really need a brute-force style vulnerability?

 

Benjamin

Go to solution
Bradley_Melton
L2 Linker
In response to BenjAudy.MTL

‎09-02-2015 12:16 PM - edited ‎09-03-2015 05:13 AM

baudy,

 

The small screeshot size is due to the forum automatically resizing the images...

Here are links to the full size versions:

 

https://live.paloaltonetworks.com/t5/image/serverpage/image-id/182i9469721019583E85
https://live.paloaltonetworks.com/t5/image/serverpage/image-id/183iFE1264D72159DFB2
https://live.paloaltonetworks.com/t5/image/serverpage/image-id/184iDA76937EF6AAE73C
https://live.paloaltonetworks.com/t5/image/serverpage/image-id/181i461B7CCB2827410D

 

EDIT:  COS has fixed the images in the original post.

0 Likes Likes

Go to solution
Lucky
L5 Sessionator
In response to Bradley_Melton

‎09-02-2015 01:02 PM - edited ‎09-02-2015 01:06 PM

Hi Bradley,

 

you have "and" condition, you wanted "or", that is the left out of two buttons circled in red square, they should all end up under a single "And condition 1".... as in:

rules.png

 

Also, direction should not be both, it is client2server, right? Server will not attack someone 🙂

Besides all this, you will need to include this newly created vulnerability into your existing profile that applies to the security policy protecting this communication, I hope you didn't forget that part of the config 🙂

 

Regards

0 Likes Likes

Go to solution
SOC_CSG
L4 Transporter
In response to Lucky

‎09-04-2015 03:31 AM

Hello

I have two questions about this:
How can I verify that the firewall are blocking the attacking IP?

.. I imagine in the logs (threat). 😉
How can I check the time (timer) that carries a specific IP blocked?

Regards,

dicu

0 Likes Likes

Go to solution
BenjAudy.MTL
L4 Transporter
In response to SOC_CSG

‎09-04-2015 10:43 AM

Hi,

 

You will see an entry in the threat logs with the action "block-ip". To see the list of currently blocked IPs, use the following command in the CLI:

 

debug dataplane show dos block-table

 

If you want to remove an IP address from the block list before the timer goes down to 0 :

 

clear dos-protection zone <sourcezone> blocked source <ip-addr>

 

Benjamin

0 Likes Likes

Go to solution
SOC_CSG
L4 Transporter
In response to BenjAudy.MTL

‎09-10-2015 01:16 AM

Hello

Interesting commands.
Command quite helpful in unlocking an IP (false positive). I would also add the IP to the list of excluded. because otherwise it is likely that the IPS block again if detects a threat.

 

Thank you very much everybody.

dicu 😉

0 Likes Likes
  • 2 accepted solutions
  • 11078 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks