Re: HTTP Inspection with personalized content filt...

RuiCosta · ‎2023-09-08

Hi all,

we have some Microsoft packets coming form MS ISP IP addresses on HTTPS.
Those packets are originated by MS services for authentication purposes.
They are proxied through our firewall and forwarded to our onpremise federated auth infrastructure in dmz.

We receive both legitimate auth requests and brute force attacks.
The source IP addresses are ever trusted MS IPs and can not be filtered or dropped.

We would know if there is a way to enable https inspection inbound , parsing the content (the IP addreess inside the message) based on a list of IPs that we knows as malicius and we collect in other ways end finally prevent the packet from reaching the auth infrastructure

Only the checkpoint IPS IPs reputation may be not enough for us

(for now Microsoft says there is no ways for them to block those request......)

Many thanks 🙂

Rui

PhoneBoy · ‎2023-09-08

How precisely is the IP encoded in the traffic?
If it's not in an IP or an HTTP header, it'll probably require an RFE.

RuiCosta · ‎2023-09-11

Hi, tks for your answer. Unfortunately inside the body message.
I suppose that a way must exist maybe in another blade like AV.

PhoneBoy · ‎2023-09-11

For Threat Prevention, you have the ability to create Snort Signatures.

RuiCosta · ‎2023-09-15

Hi. Many thanks, I will check this feature (for me) unknown 🙂
Bye

Are you a member of CheckMates?

HTTP Inspection with personalized content filter