Video Screencast Help

Blocking Blacklisted IPs using SCSP

Created: 14 Apr 2013 • Updated: 17 Apr 2013 | 7 comments
This issue has been solved. See solution.

Is it possible to block a list of IPs (Close to 30K) using SCSP Agent? I found the option of adding Blacklisted IPs in Detection Policy under the Windows Base Policy but could not find the same under any Prevention Policy.

My understanding is, that SCSP relies on Whitelist to allow traffic from specific machines rather than Blacklist to block traffic from a handful of machines and allowing the rest. Also, please do share the format in which the CSV file is configured to add the Batch IP List.

Thanks in advance,

Amit Bhatnagar

Operating Systems:

Comments 7 CommentsJump to latest comment

Alex_CST's picture

it works in the format of 192.168.10.0/24 for example, which means you can block entire ranges

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

Chuck Edson's picture

You can import a list of IP addresses into an IPS policy using the %?ImportFileList(<filepath>)?% function.

I am not sure how the performance if the IPS driver would be impacted by 30k individual addresses, you will have to test in your environment.  Like Alex mentioned, using CIDR format would probably be more efficent. 

Note that this list will be re-imported every 5 minutes by default when the automatic policy re-translation takes place, so you can add and remove addresses on the fly with this mechanism.

See Appendix B of the SCSP_Prevention_Policy_Reference_Guide.pdf (attached) for more information.

AttachmentSize
SCSP_Prevention_Policy_Reference_Guide.pdf 1.11 MB

If a post helps you, please mark it as the solution to your issue.

SOLUTION
bamit99's picture

I apologize for not giving much details earlier. The Server on which SCSP agent is installed is a Web facing server and the ~30000 IPs are a part of the globally shared SPAM, Mischievious IPs and hence random. This is why we cannot use Block Ranges like 192.168.1.0/24. Also, Please correct me if I am wrong but according to the document, it says

"The Core policy prevents remote computers from making inbound network connections to an agent computer. Exception lists allow specific remote computers to make inbound network connections."

What I understand from this statement is, that the concept is of Whitelist and not Blacklist i.e. it will block all the IPs and allow only which are mentioned in the list and not the other way around. Please do correct me if I got this statement wrong.

Chuck Edson's picture

The Core policy comes configured like that.  If you open up the network rules, you will see that there is both allow and deny options, so technically you can go either way -- whitelist or blacklist.

However, as I mentioned earlier, you will need to test this to see what kind of impact 30k deny rules will have on your system . . . . 

If a post helps you, please mark it as the solution to your issue.

bamit99's picture

Thank you !! We are currently looking at the options and have asked Symantec for an official statement through Email. This way, I could convince the client to go either way. In my understanding SCSP is not really the best product to perform this action. This is why we have Edge based Firewall !

Anyways, let's see. Thank you for your Support !

AMoss's picture

It is highly likely that a list of 30k IP adx's would choke the translation engine.  I tried a similar task but was attempting to import a list of ~8k files names...which caused the policy translator to consume 100% of CPU until process was terminated and different policy was applied.

Looking for real-time reporting and data visualization for your Symantec Security solutions?

Want to tune DCS/CSP like a master? Cut your tuning times by more than half! http://www.trysolve.com

bamit99's picture

Very useful and relevant information. Thanks !! We ran into issues yesterday with 17K IPs. The rest were not properly formatted and I left them out. The SCSP Client gave a Critical error about the Parser and failed. Luckily, the policy did not apply and the machine is still with the policy that had only 1 Block IP and hence working fine.