cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 9

Comments in External Lists

Jump to solution

Is it possible to add comments to an external list text file? 

I am setting up an IP list and want to add comments for my team members to indicate the syntax the list is looking for.  Any insight would be much appreciated.

Thank you!

1 Solution

Accepted Solutions
Highlighted
Level 11
Report Inappropriate Content
Message 2 of 9

Re: Comments in External Lists

Jump to solution

Hello

For plain text files you can specify regex that will be used to select lines that will be imported. For example, if you want to treat as comments lines that starts with the '#' character, then you need to specify regex like ^[^#].*, so only strings that don't start with '#' will be included into list

View solution in original post

8 Replies
Highlighted
Level 11
Report Inappropriate Content
Message 2 of 9

Re: Comments in External Lists

Jump to solution

Hello

For plain text files you can specify regex that will be used to select lines that will be imported. For example, if you want to treat as comments lines that starts with the '#' character, then you need to specify regex like ^[^#].*, so only strings that don't start with '#' will be included into list

View solution in original post

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 9

Re: Comments in External Lists

Jump to solution

But without manually specifying the regex route, nothing build into the functionality of the list?

Highlighted
Level 11
Report Inappropriate Content
Message 4 of 9

Re: Comments in External Lists

Jump to solution

Yes, nothing specific was built into MWG to specify comments. But regexes will work without any problem...

Highlighted

Re: Comments in External Lists

Jump to solution

however, Subscribed lists can have comments.

If i have a list like this on a web server;

type=string

"208.99.94.78" "Comment 1"

164.109.94.147

"212movie.com" "Another comment"

"actforlove.typepad.com" "What is this?"

"active.com" "comment"

activehealthsftp.net

Then they will be viewable on the list:

Capture.png

Highlighted
Level 7
Report Inappropriate Content
Message 6 of 9

Re: Comments in External Lists

Jump to solution

Erik - this is helpful also.  I wanted to lead in with some comments that detail what the syntax should be, and then I can also add comments here so we can track the entries also.

-Sean

Highlighted

Re: Comments in External Lists

Jump to solution

Sorry to jump in the middle here, but this raises an question for me:  Are the comments available as a property to the rest of the gateway?  My use case would be something like a custom black-list of malicious IP addresses with the comment being the date that specific entry was added to the list (or maybe it is the source of the blacklist, e.g. "Snort alert", or "ETPRO Reputation Feed".  Being able to include the comment in the Block page and/or the access.log would be pretty cool.  I looked around and couldn't find anything for this. 

Highlighted

Re: Comments in External Lists

Jump to solution

The list comments cannot be captured with a property and used anywhere like a block page.

They are strictly for documenting and viewing within the policy.

I've wanted something like that myself, but hasn't happened.

Highlighted
Level 11
Report Inappropriate Content
Message 9 of 9

Re: Comments in External Lists

Jump to solution

Hi clausonna

I think that you can do this with new Map Type that is available in 7.3.1 release. But comments should be on the same line as the data - so we could use regex to capture data & comments... You need to do following steps:

  • Create ExtLists settings with your data source (web service), specify URL, and also specify regular expression, like this: ^(.*?)(?:\s*#\s*(.*?))?$ - this exprassion shouldl have 2 capture groups so it could be used as a map
  • Create rule that should block destination IP. There are 2 possibilities here:
    • you can block by checking is DestinationIP-string is in Map, with something like: Map.HasKey(ExtLists.StringMap<your settings>(params...), IP.ToString(URL.DestinationIP))
    • or you can check is Destination IP in IP List that is also fetched by ExtLists filter with ExtLists.IPList<your settings>(params...) property - this maybe slightly faster from performance point of view, but will require additional fetch of data from external service.
  • If rule matches, then block request with custom block page that contains comment about given IP (see below)

File with data should have following form:

10.149.114.44 # bad site

194.87.0.50 # another bad site

173.194.64.106

Block page template can contain expression: Map.GetStringValue(ExtLists.StringMap<your settings>(params...), IP.ToString(URL.Destination.IP)) - this will fetch comment for given IP address

I attached file with rules & block page, so you can play with this approach

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community