9 Replies Latest reply: Jul 26, 2013 2:28 PM by squidikus RSS

    Attack Response Blackhole Issue


      Hi guys first post here!



      A filter was created to BlackHole an IP when an http get to a specific url was made.

      The filter syntax is below.


      request_command GET and url "http://xxx.xxx.xxx.xxx/yabadabadoo.asp


      This was then referenced by an attack response and was set to blackhole the source IP. I have also made the change to the global blackhole setting to blackhole the source if the attack Ip cannot be determined.


      This filter works in the sense that  A. I receive an email stating that the url was accessed and also that the IP has been blackholed. However when accessing the link or any content on the server from the blackholed address I am still able to browse content.


      The reasoning for creating such a rule is that this specific url would have to be typed by an individual who is either curious or malicious and also this link is not accessible from any link on the website. I know that I can acheive this by removing the link from the site but I would like the firewall to blackhole this for me.


      Thanks for any help that can be given.