Leverage IDS or firewall to flag suspicious outbound behavior
Created: 19 Nov 2010 | 4 comments
Have the SEP client's firewall or IDS component maintain a list of 100 or so known active Command and Control servers, and report or block outbound access to those IP's based on configuration. Allow admins to add IP's, hosts or domains to the list as well. This wouldn't be a "perfect solution", but another important layer since stopping malware is as much about not letting it communicate outbound as it is inbound.
Comments 4 Comments • Jump to latest comment
This is a great idea, not currently possible in SEP 12.1. I would really like to see an import option for both IPS and Firewall, even using Host Groups in SEP - Symantec?
agreed. I would like to be able to import this list from a flat file (let's say), so that as the known CnC servers change, we can keep the list up to date. (to a certain point that is.)
To expand on the suggestion a tad- have that malicious IP list automatically "age off", like some black lists/MSSP's operate. Say for example I identify a malicious host on the Comcast network, it's not likely to stay that way forever. So add an IP that automatically drops off after 3 (or 6) months. I use host groups to block outboud access to known-bad IP's right now, but would love more functionality around it.
nice addition. That certainly is the ahrdest part. keeping known offender IPs up to date.
Would you like to reply?
Login or Register to post your comment.