Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
601 Views 9 Replies Latest reply: Jul 26, 2013 2:28 PM by squidikus RSS
squidikus Newcomer 38 posts since
Jul 12, 2013
Currently Being Moderated

Jul 12, 2013 12:59 PM

Attack Response Blackhole Issue

Hi guys first post here!

 

 

A filter was created to BlackHole an IP when an http get to a specific url was made.

The filter syntax is below.

 

request_command GET and url "http://xxx.xxx.xxx.xxx/yabadabadoo.asp

 

This was then referenced by an attack response and was set to blackhole the source IP. I have also made the change to the global blackhole setting to blackhole the source if the attack Ip cannot be determined.

 

This filter works in the sense that  A. I receive an email stating that the url was accessed and also that the IP has been blackholed. However when accessing the link or any content on the server from the blackholed address I am still able to browse content.

 

The reasoning for creating such a rule is that this specific url would have to be typed by an individual who is either curious or malicious and also this link is not accessible from any link on the website. I know that I can acheive this by removing the link from the site but I would like the firewall to blackhole this for me.

 

Thanks for any help that can be given.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points