Re: IOC feed - end user experience

Kaspars_Zibarts · ‎2021-11-09

Just wondering if anyone who has deployed IOC feeds (sk132193 ) has ever thought that end user gets two totally different experiences depending on how the feed is set up. I'm referring to feed based on domain names / URLs btw.

Basically if you block the whole domain (i.e. www.draugiem.lv in log screenshot below) you will get a blank screen reporting that name lookup failed as FW will block it (or return DNS Trap IP if configured). So if I'm just a regular person, seeing blank screen with obscure Name_err message is not very helpful.

Example screenshot:

Whereas second case where we block a specific path in the domain (www.netflix.com/browse), end user will get a proper "Access Blocked" webpage generated by FW AntiBot/AntiVirus blade. Very informative and helpful.

You can actually see which type of protection actually kicked in (URL vs DNS)

I realise that DNS block is way more effective from security point of view as no data is actually is transmitted plus less resource hungry. But I still find that "educating" end user is a big and important piece. And those well defined "Access blocked" webpages are really helpful.

Question is - is it possible to customise IOC feed behaviour on AB/AV balde so that we allow DNS request through and display proper block page in the browser?

Timothy_Hall · ‎2021-11-13

It doesn't seem to be possible to create another IOC observable to let the DNS lookup for www.draugiem.lv go through by specifying an action of Inactive only if it is on UDP port 53. But maybe you could create a TP exception like this:

Protected Scope: Any

Source: Any

Destination: Any

Protection/Site/File/Blade: (IOC Observable for www.draugiem.lv)

Services: dns (this is the key)

Action: Inactive

Track: Log

Wouldn't this exception let the DNS lookup for www.draugiem.lv go through because it is on UDP port 53 and matches the exception, but then let the URL be blocked and return the informative UserCheck to the user via a URL Reputation Block?

Attend my Gateway Performance Optimization R81.20 course
CET Timezone Course Scheduled for July 1-2

Kaspars_Zibarts · ‎2021-11-14

It's worth a try but would require "special" translation app to handle such case to create two lines for the feed! Thanks for the idea Tim!

rachelda · ‎2021-11-15

IOC URL Indicator work on HTTP traffic and IOC Domain indicator work on DNS + HTTP traffic

Currently, IOC feature doesn't support define a specific protocol for domain

Kaspars_Zibarts · ‎2021-11-15

thanks @rachelda !

I've played a bit more now and changed the feed type from domain to URL, but I'm still getting very inconsistent results. You can see two examples below:

block2,bite.lv,URL,high,high,AB,ISEC
block3,disk.yandex.com,URL,high,high,AB,ISEC

1) bite.lv gave me AB userchek block page very first time, but later DNS started being blocked and blank response in browser. Could be it will generate block message only once per session

2) yandex case just gave me blank page = DNS was blocked.

Screenshot shows difference between two cases - first one generated log for both - DNS and URL reputation. The second only DNS. Even though both are defined as URL feeds.

Are you a member of CheckMates?

IOC feed - end user experience