Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Leverage IDS or firewall to flag suspicious outbound behavior

Created: 19 Nov 2010 | 4 comments
Bill_K's picture
1 Agree
0 Disagree
+1 1 Vote
Login to vote

Have the SEP client's firewall or IDS component maintain a list of 100 or so known active Command and Control servers, and report or block outbound access to those IP's based on configuration.  Allow admins to add IP's, hosts or domains to the list as well.  This wouldn't be a "perfect solution", but another important layer since stopping malware is as much about not letting it communicate outbound as it is inbound.

Comments 4 CommentsJump to latest comment

gbishopSA's picture

This is a great idea, not currently possible in SEP 12.1. I would really like to see an import option for both IPS and Firewall, even using Host Groups in SEP - Symantec?

0
Login to vote
mtju's picture

agreed. I would like to be able to import this list from a flat file (let's say), so that as the known CnC servers change, we can keep the list up to date. (to a certain point that is.)

0
Login to vote
Bill_K's picture

To expand on the suggestion a tad- have that malicious IP list automatically "age off", like some black lists/MSSP's operate.  Say for example I identify a malicious host on the Comcast network, it's not likely to stay that way forever.  So add an IP that automatically drops off after 3 (or 6) months.  I use host groups to block outboud access to known-bad IP's right now, but would love more functionality around it.

+1
Login to vote
mtju's picture

nice addition. That certainly is the ahrdest part. keeping known offender IPs up to date.

0
Login to vote