1 Reply Latest reply on Mar 29, 2016 6:20 AM by peter.mason

    Question about best practice / automating things

    jlockie

      All,

       

      I am curious if there is any good / quick way to pull down data from .txt feeds into the IPS sensors for either firewall or signature based (custom signatures, for example URL inspection)?

       

      Here is a good example.  Abuse.ch has pretty decent OSINT on ransomware URLs, domains, and IPs (see here Blocklist | Ransomware Tracker).  I have various security systems that can use this information, including the IPS sensors.  Let's take the IPS firewall for example....I can add the malicious IP addresses as rule objects, and then create firewall policies to start blocking these.  But for IPv4 endpoint objects I can only add 10 IP addresses to an object.  This is extremely restrictive, and leads me to wonder if I am going about this the wrong way?  Also, I have to hand copy/paste each IP address, and cannot import/copy an entire list.

       

      All of this makes it extremely difficult and labor intensive to feed our own intelligence into the IPS.  Is there a better way to do this (that doesn't require another huge investment in product)?  I have these really capable boxes (NS 9100s) but they are not easy to work with "on the fly".  I also have really valuable intelligence, but nowhere to put it (as far as the NS 9100s are concerned)....

       

      Help?

        • 1. Re: Question about best practice / automating things
          peter.mason

          Hi Jlockie,

           

          No, you are not getting it wrong, there is a limit of 10 items to a rule object. You can specify a network range instead of a network address if the IP addresses are in blocks.

           

          There is an API that may allow you to feed your data into NSM, you should talk to support and see if it is possible. The API guide is only available from support.

           

          Your other option is to look at the integration guide and see if you can utilize any of your other applications to improve performance.

           

          Peter