Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RuiCosta
Explorer

HTTP Inspection with personalized content filter

Hi all,

we have some Microsoft packets coming form MS ISP IP addresses on HTTPS.
Those packets are originated by MS services for authentication purposes.
They are proxied through our firewall and forwarded to our onpremise federated auth infrastructure in dmz.

We receive both legitimate auth requests and brute force attacks.
The source IP addresses are ever trusted MS IPs and can not be filtered or dropped.

We would know if there is a way to enable https inspection inbound , parsing the content (the IP addreess inside the message) based on a list of IPs that we knows as malicius and we collect in other ways end finally prevent the packet from reaching the auth infrastructure


Only the checkpoint IPS  IPs reputation  may be not enough for us

(for now Microsoft says there is no ways for them to block those request......)

Many thanks 🙂

 

Rui

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

How precisely is the IP encoded in the traffic?
If it's not in an IP or an HTTP header, it'll probably require an RFE.

0 Kudos
RuiCosta
Explorer

Hi, tks for your answer. Unfortunately inside the body message. 
I suppose that a way must exist maybe in another blade like AV.

0 Kudos
PhoneBoy
Admin
Admin

For Threat Prevention, you have the ability to create Snort Signatures.

0 Kudos
RuiCosta
Explorer

Hi. Many thanks, I will check this feature (for me) unknown 🙂 
Bye

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events