1 Reply Latest reply on Jan 2, 2012 4:36 PM by sliedl

    blackhole category for Attack Responses

    Arshad

      Hi, I want to ask that how can I search on Firewall Sidewinder ver 8.1.2 that a particular IP is blackholed under particualar category. Means in Attack Responses option in GUI we have different categories of classes, like IPS , DOS, IPS Signature IPS Intrusion All etc. If I want to check that a particular REAL IP is blackholed under which of categories of attack responses then wat is the command ?

       

      regards,

        • 1. Re: blackhole category for Attack Responses
          sliedl

          My soure IP is 10.10.15.10.
          My default route is a version 8 firewall at 10.10.15.8.
          I created a rule to Deny port 23 from internal to external.  This will create an 'ACL Deny' audit message whenever I try to go out on port 23.
          I edited the default 'ACL Deny' Attack Response to blackhole an IP for 30 seconds if the IP creates 5 'ACL Deny' audit events in 30 seconds.
          I then tried to telnet on port 23 to the IP 1.1.1.1.  After 5 attempts my IP was blackholed.

           

          Here are the audit messages:

          ------------------------------
          swv8-1:Admn {1} % acat -k

           

          2012-01-02 16:49:12 -0500 f_telnet_proxy a_aclquery t_attack p_major
          pid: 34309 logid: 0 cmd: 'tnauthp' hostname: swv8-1.fwdomain.com
          category: policy_violation event: ACL deny attackip: 10.10.15.10
          attackzone: internal application: Telnet srcip: 10.10.15.10 srcport: 4513
          srczone: internal protocol: 6 dst_geo: AU dstip: 1.1.1.1 dstport: 23
          dstzone: external rule_name: Deny 23 cache_hit: 0
          reason: Traffic denied by policy.

           

          2012-01-02 16:49:26 -0500 f_telnet_proxy a_aclquery t_attack p_major
          pid: 34309 logid: 0 cmd: 'tnauthp' hostname: swv8-1.fwdomain.com
          category: policy_violation event: ACL deny attackip: 10.10.15.10
          attackzone: internal application: Telnet srcip: 10.10.15.10 srcport: 4515
          srczone: internal protocol: 6 dst_geo: AU dstip: 1.1.1.1 dstport: 23
          dstzone: external rule_name: Deny 23 cache_hit: 1
          reason: Traffic denied by policy.

           

          2012-01-02 16:49:28 -0500 f_telnet_proxy a_aclquery t_attack p_major
          pid: 34309 logid: 0 cmd: 'tnauthp' hostname: swv8-1.fwdomain.com
          category: policy_violation event: ACL deny attackip: 10.10.15.10
          attackzone: internal application: Telnet srcip: 10.10.15.10 srcport: 4517
          srczone: internal protocol: 6 dst_geo: AU dstip: 1.1.1.1 dstport: 23
          dstzone: external rule_name: Deny 23 cache_hit: 1
          reason: Traffic denied by policy.

           

          2012-01-02 16:49:29 -0500 f_telnet_proxy a_aclquery t_attack p_major
          pid: 34309 logid: 0 cmd: 'tnauthp' hostname: swv8-1.fwdomain.com
          category: policy_violation event: ACL deny attackip: 10.10.15.10
          attackzone: internal application: Telnet srcip: 10.10.15.10 srcport: 4518
          srczone: internal protocol: 6 dst_geo: AU dstip: 1.1.1.1 dstport: 23
          dstzone: external rule_name: Deny 23 cache_hit: 1
          reason: Traffic denied by policy.

           

          2012-01-02 16:49:30 -0500 f_telnet_proxy a_aclquery t_attack p_major
          pid: 34309 logid: 0 cmd: 'tnauthp' hostname: swv8-1.fwdomain.com
          category: policy_violation event: ACL deny attackip: 10.10.15.10
          attackzone: internal application: Telnet srcip: 10.10.15.10 srcport: 4519
          srczone: internal protocol: 6 dst_geo: AU dstip: 1.1.1.1 dstport: 23
          dstzone: external rule_name: Deny 23 cache_hit: 1
          reason: Traffic denied by policy.

           

          2012-01-02 16:49:30 -0500 f_auditbotd a_server t_alert p_major
          pid: 1647 logid: 0 cmd: 'auditbotd' hostname: swv8-1.fwdomain.com
          event: alert triggered alert_name: ACL Deny alert_type: Attack num_events: 5
          start_time: 2012-01-02 16:49:12 -0500 end_time: 2012-01-02 16:49:30 -0500
          sacap_filter: event AUDIT_R_ACLDENY alert_actions: blackhole

           

          2012-01-02 16:49:30 -0500 f_kernel a_blkh t_blackhole p_major
          hostname: swv8-1.fwdomain.com event: blackhole add srcip: 10.10.15.10
          srczone: internal seconds: 30
          reason: This host was added to the blackhole table.
          ------------------------------

           

          The last two events are the ones you are interested in.
          The first event tells you which 'Attack Response' you hit (the "alert_name: ACL Deny" part of the audit message).
          The second event tells you the IP that was blackholed.

           

          You can find both of these types of audits with this sacap filter:
          swv8-1:Admn {2} % acat -e "(event AUDIT_R_BLKH_ADD and srcip 10.10.15.10) or alert_actions blackhole"
          (Just replace the srcip with the correct IP from your setup)

           

          You can see all the blackholed IPs and the amount of time left on their quarantine with this command:
          $> blackhole dump
          You can remove all the blackholed IPs with this command:
          $> blackhole flush