- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Just wondering if anyone who has deployed IOC feeds (sk132193 ) has ever thought that end user gets two totally different experiences depending on how the feed is set up. I'm referring to feed based on domain names / URLs btw.
Basically if you block the whole domain (i.e. www.draugiem.lv in log screenshot below) you will get a blank screen reporting that name lookup failed as FW will block it (or return DNS Trap IP if configured). So if I'm just a regular person, seeing blank screen with obscure Name_err message is not very helpful.
Example screenshot:
Whereas second case where we block a specific path in the domain (www.netflix.com/browse), end user will get a proper "Access Blocked" webpage generated by FW AntiBot/AntiVirus blade. Very informative and helpful.
You can actually see which type of protection actually kicked in (URL vs DNS)
I realise that DNS block is way more effective from security point of view as no data is actually is transmitted plus less resource hungry. But I still find that "educating" end user is a big and important piece. And those well defined "Access blocked" webpages are really helpful.
Question is - is it possible to customise IOC feed behaviour on AB/AV balde so that we allow DNS request through and display proper block page in the browser?
It doesn't seem to be possible to create another IOC observable to let the DNS lookup for www.draugiem.lv go through by specifying an action of Inactive only if it is on UDP port 53. But maybe you could create a TP exception like this:
Protected Scope: Any
Source: Any
Destination: Any
Protection/Site/File/Blade: (IOC Observable for www.draugiem.lv)
Services: dns (this is the key)
Action: Inactive
Track: Log
Wouldn't this exception let the DNS lookup for www.draugiem.lv go through because it is on UDP port 53 and matches the exception, but then let the URL be blocked and return the informative UserCheck to the user via a URL Reputation Block?
It's worth a try but would require "special" translation app to handle such case to create two lines for the feed! Thanks for the idea Tim!
IOC URL Indicator work on HTTP traffic and IOC Domain indicator work on DNS + HTTP traffic
Currently, IOC feature doesn't support define a specific protocol for domain
thanks @rachelda !
I've played a bit more now and changed the feed type from domain to URL, but I'm still getting very inconsistent results. You can see two examples below:
block2,bite.lv,URL,high,high,AB,ISEC
block3,disk.yandex.com,URL,high,high,AB,ISEC
1) bite.lv gave me AB userchek block page very first time, but later DNS started being blocked and blank response in browser. Could be it will generate block message only once per session
2) yandex case just gave me blank page = DNS was blocked.
Screenshot shows difference between two cases - first one generated log for both - DNS and URL reputation. The second only DNS. Even though both are defined as URL feeds.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY