cancel
Showing results for 
Search instead for 
Did you mean: 

Who rated this post

Peter_Elmer
Employee
Employee

Hello @Danny , @Timothy_Hall ,

let me share what I found:

Where in packet processing is the enforcement of IP addresses listed in IoC feeds taking place?

ATRG for Anti-Virus and AntiBot documents that ‘IP reputation’ engine is ignited by CMI Loader. CMI Loader is taking elements from Protocol Parsers (see IPS ATRG for details sk95193). Reading the text below the diagram of sk92264 you see that ‘on new connection arrival’ we check IP address against ‘IP Reputation’.

Extract from sk92264

"On new connection arrival, in the first packet, before the Security rulebase:
- Malware rulebase matches a profile for Anti-Bot and Anti-Virus
- IP is classified by reputation IP address"

Conclusion

If you enable Anti-Virus and AntiBot you enable IP reputation verification software instance. As stated above ‘on new connection arrival’ this engine is called FIRST – BEFORE check for HTTPS Inspection and/or Access Control and/or Threat Prevention rule base. This is to save cycles on rule base processing in case the traffic is send from a source listed in the IP reputation IoC list.

best regards

pelmer

0 Kudos
(1)
Who rated this post