Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jarvis_Lin
Contributor

Anti-Bot IP Reputation

Hi Everybody,

Anti-bot Protection contains IP, URLs, Domain reputation list.

2022-08-17_224009.png
 
 

I can generate URLs and DNS reputation logs easily, but cannot generate IPs reputation logs without using indicator files/external IOC feed.

How can I generate IPs reputation logs without using indicator files/ external IOC feed. Is it possible to do ?

0 Kudos
8 Replies
Chris_Atkinson
Employee
Employee

For background what are you trying to achieve, are you trying to confirm a protection works as expected or do you need the log record as a template?

0 Kudos
Jarvis_Lin
Contributor

Hi Chris,

I access "http(s)://131.188.40.189" ,  the traffic can be block by Anti-bot (URL Reputation). but ping 131.188.40.189 or telnet 131.188.40.189 25, the traffic goes through.

Can I generate IPs reputation logs on production? I try several times but not luck.

 

What kind of tests can trigger IPs reputation logs?
Is it possible to create IPs reputation log record via Threatwiki page for demo?

0 Kudos
ClonyShen
Participant

HI Chris

 

in this example. according to "https://urlcat.checkpoint.com/urlcat/main.htm".

if i enter the ip "131.188.40.189", it will be shown URL Reputation not IP Reputation.

2022-08-17_23-24-37.png

The Anti-bot Protection name (Reputation IP/Reputation URLs / Reputation Domain) confuses me.

As far as I know

1. Reputation IP => xxx.xxx.xxx.xxx

2. Reputation URLs => www.bot.com/xxx.exe

3. Reputation Domain => www.bot.com

 

For this case, if we want to show log of "Reputation IP" in the Logs and Monitoring, would it be possible?

 

0 Kudos
Chris_Atkinson
Employee
Employee

For context:

Reputation IPs.png

What confidence level is the profile/blade set to enforce?

Profile.png

 

 

0 Kudos
Jarvis_Lin
Contributor

My setting as below

 

2022-08-18_212221.png

 

2022-08-18_212238.png

0 Kudos
PhoneBoy
Admin
Admin

Are you trying to find a known IP that will trigger the Reputation IP protection?
In any case, the focus of Anti-Bot is DNS, SMTP, and HTTP(S), as noted here: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

Best practice is to limit outbound Internet connectivity to the precise services needed.
Meanwhile you might try a DNS lookup to the IP (assuming the lookup goes through the gateway) or initiate an SMTP connection to it.

0 Kudos
Jarvis_Lin
Contributor

Hi PhoneBoy,

 

We have a lots of "Reputation IPs"  for Anti-Bot Protection show as below, but never see "IP reputation" type on log.

 

2022-09-15_175141.png

 

Is it possible to generate "IPs reputation logs" without using indicator files/ external IOC feed?

0 Kudos
PhoneBoy
Admin
Admin

Not as far as I know because of how the decision to block is made (IP Reputation being just one factor).

When you use an external indicator feed and block based purely on that, we can make the clear statement in the logs that it's an "IP Reputation" reason. 

0 Kudos