Screencasts - Hilfsvideos

Leverage IDS or firewall to flag suspicious outbound behavior

Created: 19 Nov. 2010 | 4 Kommentare
das Bild der Bill_Ks
1 Zustimmen
0 Nicht zustimmen
+1 1 Stimme
Bitte loggen Sie sich ein, um abzustimmen

Have the SEP client's firewall or IDS component maintain a list of 100 or so known active Command and Control servers, and report or block outbound access to those IP's based on configuration.  Allow admins to add IP's, hosts or domains to the list as well.  This wouldn't be a "perfect solution", but another important layer since stopping malware is as much about not letting it communicate outbound as it is inbound.

Kommentare KommentareZum neuesten Kommentar

das Bild der gbishopSAs

This is a great idea, not currently possible in SEP 12.1. I would really like to see an import option for both IPS and Firewall, even using Host Groups in SEP - Symantec?

0
Bitte loggen Sie sich ein, um abzustimmen
das Bild der mtjus

agreed. I would like to be able to import this list from a flat file (let's say), so that as the known CnC servers change, we can keep the list up to date. (to a certain point that is.)

0
Bitte loggen Sie sich ein, um abzustimmen
das Bild der Bill_Ks

To expand on the suggestion a tad- have that malicious IP list automatically "age off", like some black lists/MSSP's operate.  Say for example I identify a malicious host on the Comcast network, it's not likely to stay that way forever.  So add an IP that automatically drops off after 3 (or 6) months.  I use host groups to block outboud access to known-bad IP's right now, but would love more functionality around it.

+1
Bitte loggen Sie sich ein, um abzustimmen
das Bild der mtjus

nice addition. That certainly is the ahrdest part. keeping known offender IPs up to date.

0
Bitte loggen Sie sich ein, um abzustimmen