Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
947 Views 8 Replies Latest reply: Feb 1, 2013 1:54 AM by alexott RSS
ctsean Newcomer 7 posts since
Nov 9, 2011
Currently Being Moderated

Jan 28, 2013 9:07 AM

Comments in External Lists

Is it possible to add comments to an external list text file? 

 

I am setting up an IP list and want to add comments for my team members to indicate the syntax the list is looking for.  Any insight would be much appreciated.

 

Thank you!

  • alexott McAfee Employee 125 posts since
    Jan 19, 2011
    Currently Being Moderated
    1. Jan 28, 2013 9:17 AM (in response to ctsean)
    Re: Comments in External Lists

    Hello

     

    For plain text files you can specify regex that will be used to select lines that will be imported. For example, if you want to treat as comments lines that starts with the '#' character, then you need to specify regex like ^[^#].*, so only strings that don't start with '#' will be included into list

  • alexott McAfee Employee 125 posts since
    Jan 19, 2011
    Currently Being Moderated
    3. Jan 28, 2013 9:32 AM (in response to ctsean)
    Re: Comments in External Lists

    Yes, nothing specific was built into MWG to specify comments. But regexes will work without any problem...

  • eelsasser McAfee SME 842 posts since
    Mar 24, 2010
    Currently Being Moderated
    4. Jan 28, 2013 9:58 AM (in response to alexott)
    Re: Comments in External Lists

    however, Subscribed lists can have comments.

     

    If i have a list like this on a web server;

     

    type=string

    "208.99.94.78" "Comment 1"

    164.109.94.147

    "212movie.com" "Another comment"

    "actforlove.typepad.com" "What is this?"

    "active.com" "comment"

    activehealthsftp.net

     

    Then they will be viewable on the list:

    Capture.png

  • clausonna Newcomer 18 posts since
    Nov 11, 2009
    Currently Being Moderated
    6. Jan 31, 2013 10:37 AM (in response to eelsasser)
    Re: Comments in External Lists

    Sorry to jump in the middle here, but this raises an question for me:  Are the comments available as a property to the rest of the gateway?  My use case would be something like a custom black-list of malicious IP addresses with the comment being the date that specific entry was added to the list (or maybe it is the source of the blacklist, e.g. "Snort alert", or "ETPRO Reputation Feed".  Being able to include the comment in the Block page and/or the access.log would be pretty cool.  I looked around and couldn't find anything for this. 

  • eelsasser McAfee SME 842 posts since
    Mar 24, 2010
    Currently Being Moderated
    7. Jan 31, 2013 10:44 AM (in response to clausonna)
    Re: Comments in External Lists

    The list comments cannot be captured with a property and used anywhere like a block page.

    They are strictly for documenting and viewing within the policy.

    I've wanted something like that myself, but hasn't happened.

  • alexott McAfee Employee 125 posts since
    Jan 19, 2011
    Currently Being Moderated
    8. Feb 1, 2013 1:54 AM (in response to clausonna)
    Re: Comments in External Lists

    Hi clausonna

     

    I think that you can do this with new Map Type that is available in 7.3.1 release. But comments should be on the same line as the data - so we could use regex to capture data & comments... You need to do following steps:

    • Create ExtLists settings with your data source (web service), specify URL, and also specify regular expression, like this: ^(.*?)(?:\s*#\s*(.*?))?$ - this exprassion shouldl have 2 capture groups so it could be used as a map
    • Create rule that should block destination IP. There are 2 possibilities here:
      • you can block by checking is DestinationIP-string is in Map, with something like: Map.HasKey(ExtLists.StringMap<your settings>(params...), IP.ToString(URL.DestinationIP))
      • or you can check is Destination IP in IP List that is also fetched by ExtLists filter with ExtLists.IPList<your settings>(params...) property - this maybe slightly faster from performance point of view, but will require additional fetch of data from external service.
    • If rule matches, then block request with custom block page that contains comment about given IP (see below)

     

    File with data should have following form:

     

    10.149.114.44 # bad site

    194.87.0.50 # another bad site

    173.194.64.106

     

    Block page template can contain expression: Map.GetStringValue(ExtLists.StringMap<your settings>(params...), IP.ToString(URL.Destination.IP)) - this will fetch comment for given IP address

     

    I attached file with rules & block page, so you can play with this approach

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points