cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

High-risk GTI reputation block on its first detected connection

Hi, all,
I have the following question:
it is possible through GTI, I suppose it would be in the policy of limits of connection, that in the first package that you see with a high reputation, it be blocked?

I make the query because until now, I can not make that this policy to block any IP address with bad reputation in its first connection.

The policies that I have displayed are:

Connectiong Limiting Policies:
Enabled
High Reputation
---
GTI
Connection Rate
11 Conn/Sec (other proven value)
1 Conn/Sec (other proven value)
10 Conn/Sec (other proven value)
High Risk
AnyAny
n/a
Alert & Quarantine

IPS Policies:

IP: Connection Limiting Rule Match

Threshold: 1 (other proven value)
Interval: 25 (other proven value)

Threshold: 1 (other proven value)
Interval: 1 (other proven value)

Threshold: 10 (other proven value)
Interval: 10 (other proven value)

2 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: High-risk GTI reputation block on its first detected connection

Hi there,

 

Do you have XFF enabled on the inspection policy applied to the sensor interface or subinterface?

Are the IPS alerts showing the XFF IP address or the L3 IP address?

XFF has some impact on how Connection Limiting rules work - it is explained on this link.

 

HTH.

 

Regards,

David

 

Highlighted

Re: High-risk GTI reputation block on its first detected connection

Hi, thanks for the reply, regarding your suggestion, yes if I have XFF enabled, but I think this only applies to HTTP inspection. Investigating a little more I think it is not possible for GTI to block the connections that are detected as high risk in the first detection(like port scan or port sweep). Apparently the only way is to block by SmartBlocking, the inconviente that I see with this, is that in addition to the BTP and the reputation by GTI, adds ports considered high risk, incorporating a variable that could generate false positives. I will continue investigating, but it gives me the feeling that it is not possible. I find it strange because blocking by reputation would be an efficient and inexpensive way for team resources.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community