Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 7855 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Load IP/url lists to be blocked - Another basic feature missing?

l0rdraiden

Is there a way to load in any format a list IP addresses to be blocked in Sophos XG?

The idea is to load ip lists / urls from minemeld, yeti or any other threat intelligence aggregator source like firehole.

 

This is a basic feature available in palo alto, cisco, fortigate, pfsense, opensense, etc.

EDIT: Implement support for dynamic/public IP/URL blacklist feeds    ideas.sophos.com/.../15991441-implement-support-for-dynamic-public-ip-url-blackl



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to l0rdraiden

    Web Proxy can only be used for HTTP/HTTPs Requests. So no - it would only block Requests via Port 80/443. 

    But - and now my personal opinion, we are using our own Database behind it. Sophos Labs. 

    https://www.sophos.com/en-us/labs.aspx

    https://community.sophos.com/kb/en-us/121544

     

    In your Feature Request, Rich Baldry also respond with the same approach.

    "2. Do you have more specifics about why you think Sophos's ATP is prone to false positives? This comment also implies that you've found community blacklists to be more reliable? Do you have data to back that up? Or is it simply that you're looking to use lists that are beyond the scope of ATP? "

     

    You "could" build those lists by yourself. It would need scripting experience, but a simple script to import those objects into a XG Object and using this object in a Firewall rule would be doing this job. 

    You would have to import those lists via Python, powershell etc. into XML format and pushing those lists to XG. 1k per Object. 

     

    Personally speaking, i am not quite a fan of such Lists. Quite often, they are outdated, using false-positives etc. 

     

    And do not forget, XG has IPS with pattern by Talos etc. Those detection features are way beyond simple "blocking all requests going to abc.de". 

     

    Btw: https://community.sophos.com/kb/en-us/126733

    Do not forgot, sometimes, the bad boys using lookups to kill switches ;) 

    The Wanna malware variants that we have seen include a lookup to a URL. If the malware gets a response, the attack stops. This has been described in some media reports as a “kill switch”. The domain for the URL was registered and activated by an independent malware analyst intending to track the malware, meaning that if current variants of the ransomware can reach the URL the attack would stop.