This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Kaspars_Zibarts
Authority
Authority
‎2021-11-09 11:54 PM

IOC feed - end user experience

Just wondering if anyone who has deployed IOC feeds (sk132193 ) has ever thought that end user gets two totally different experiences depending on how the feed is set up. I'm referring to feed based on domain names / URLs btw.

Basically if you block the whole domain (i.e. www.draugiem.lv in log screenshot below) you will get a blank screen reporting that name lookup failed as FW will block it (or return DNS Trap IP if configured). So if I'm just a regular person, seeing blank screen with obscure Name_err message is not very helpful.

Example screenshot:

image.png

 

 

 

 

Whereas second case where we block a specific path in the domain (www.netflix.com/browse), end user will get a proper "Access Blocked" webpage generated by FW AntiBot/AntiVirus blade. Very informative and helpful.

You can actually see which type of protection actually kicked in (URL vs DNS)

image.png

 

I realise that DNS block is way more effective from security point of view as no data is actually is transmitted plus less resource hungry. But I still find that "educating" end user is a big and important piece. And those well defined "Access blocked" webpages are really helpful.

Question is - is it possible to customise IOC feed behaviour on AB/AV balde so that we allow DNS request through and display proper block page in the browser?

4 Replies
Timothy_Hall
Champion
Champion
‎2021-11-13 02:16 PM

It doesn't seem to be possible to create another IOC observable to let the DNS lookup for www.draugiem.lv go through by specifying an action of Inactive only if it is on UDP port 53.  But maybe you could create a TP exception like this:

Protected Scope: Any

Source: Any

Destination: Any

Protection/Site/File/Blade: (IOC Observable for www.draugiem.lv

Services: dns (this is the key)

Action: Inactive

Track: Log

Wouldn't this exception let the DNS lookup for www.draugiem.lv go through because it is on UDP port 53 and matches the exception, but then let the URL be blocked and return the informative UserCheck to the user via a URL Reputation Block?

 

"Max Capture: Know Your Packets" Self-Guided Video Series
available at http://www.maxpowerfirewalls.com
Kaspars_Zibarts
Authority
Authority
‎2021-11-14 10:48 PM
In response to Timothy_Hall

It's worth a try but would require "special" translation app to handle such case to create two lines for the feed! Thanks for the idea Tim!

0 Kudos
rachelda
Employee
Employee
‎2021-11-15 12:48 AM

IOC URL Indicator work on HTTP traffic and IOC Domain indicator work on DNS + HTTP traffic

Currently, IOC feature doesn't support define a specific protocol for domain 

0 Kudos
Kaspars_Zibarts
Authority
Authority
‎2021-11-15 05:33 AM
In response to rachelda

thanks @rachelda !

I've played a bit more now and changed the feed type from domain to URL, but I'm still getting very inconsistent results. You can see two examples below:

block2,bite.lv,URL,high,high,AB,ISEC
block3,disk.yandex.com,URL,high,high,AB,ISEC

1) bite.lv gave me AB userchek block page very first time, but later DNS started being blocked and blank response in browser. Could be it will generate block message only once per session

2) yandex case just gave me blank page = DNS was blocked. 

Screenshot shows difference between two cases - first one generated log for both - DNS and URL reputation. The second only DNS. Even though both are defined as URL feeds.

 

image.png

 

0 Kudos