Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
skidsteerpilot
Participant

ioc_feeds whitelist

re: R80.40

We are ingesting ioc feeds via ioc_feeds command. We would like to have a process in place for whitelisting individual ip/url/domain in case the need arises. The logs show the feeds are being processed via anti-bot and anti-virus blades. What would be the most efficient method to accomplish this?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

IOC Feeds are done by AB/AV blades.
@TP_Master is there a way to explicitly allow something that would be blocked by an ioc_feed? 

0 Kudos
skidsteerpilot
Participant

We are still looking for a solution to whitelisting individual domain/url/ip that are ingested via ioc_feeds. TAC has not been able to provide a solution.

We are currently manually removing domain/url/ip that we need access to (false positives) and repushing ioc_feeds. This has to be done on a separate feed server and then the push on the gateway. This process is not sustainable.

We have tried:
1. using the "Add Exception" link on the Prevent log associated with the lookup
2. create manual "Global" exception using "Domain" as "Destination"
3. create manual "Global" exception using "Custom Application Site" and domain regex as seen in SK165094
4. 3&4 in "Recommended Protections Exceptions"

Maybe this can not be done, but I would think anyone using ioc_feeds would have a viable solution to whitelist individual entries as users discover false positives. 

A caveat we have discovered is after an exception is put in place, there seems to be a short window of opportunity where it appears the exception is working, possible during reload, but then it fails. The 'window' seems to range in time, nothing specific. So, when working with TAC or on our own, there have been several occasions of high-fives, only later to discover the site in question is still blocked.

If anyone is working with ioc_feeds and has a whitelisting process that works, we would be interested to hear how that happens.

huseyinyildirim
Participant

Any developments with this? I am facing the same issue and have not been able to figure out how to whitelist individual url/ip?

0 Kudos
skidsteerpilot
Participant

Unfortunately not. I've ended up creating a separate text file of ip/urls to whitelist and then added a function in the script that creates the feed lists to remove any items found in that whitelist file. Thankfully, there have only been a handful that we have had to apply this to. Not elegant, but functional (so far).

0 Kudos
PhoneBoy
Admin
Admin

There is a feature in R81.20 that might work better here for this use case: Network Feed object.
This should support both IPs and URLs and can be used in the Access Policy, making it significantly more flexible.

0 Kudos
skidsteerpilot
Participant

That sounds good. We're on R80.40. Upgrade planning is in progress so will look forward to this! Thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events