Implement support for dynamic/public IP/URL blacklist feeds
Alienvault has OTX (Open Threat eXchange) and there's https://intel.criticalstack.com/.
There's also a very big player, Palo Alto Networks that provides Minemeld (see links at bottom of this post).
They all provide public feeds of known hostile IP addresses/ranges and URL's*.
I would really like to be able to make use of such feeds so I can create specific rules on my firewall to block all incoming traffic from these sources and possibly outgoing URL requests to known C2 servers.
If this blocked traffic (the outgoing attempts) is logged in a specific log, it would have the additional benefit of alerting an admin of a possibly compromised host.
Palo Alto Minemeld info URLs:
Any news about this? or still sophos is not thinking to implement a feature that is available in any competitor, even in the open source ones.
Currently thinking of switching from pfSense to XG and I am currently able to do this with pfBlockerNG. If I am not mistaken it seems like this is possible in XG. Under Web -> Categories if you add a new one you can select 'External URL Database' and then add this to a Web/Policy and add that to a Firewall Rule. Can anyone confirm if what I am thinking will work?
1. In firehole you have tons of lists with different purposes to choose from
2. These lists can complement Sophos ATP or can have different purposes like blocking SPAM
3. I am looking to block IP lists mainly
This is a basic feature of any decent firewall in the market, you probably are losing customer because of this, please implement it asap.
We also want this feature. We would also like to see integration with Threat Intelligence sources such as ThreatConnect, AlienVault OTX, IBM X-Force, and others so that automated blocking of IOCs and IOAs can be achieved in the XG firewall platform.
This is viewed as an essential capability to effective threat mitigation at machine speed.
Competitive products from companies such as Palo Alto Networks already have all of these features.
The lack of this feature was the primary reason I switched from UTM to pfSense. Constant attacks against my VPN port that I was unable to block, with constant failed connection attempts as a result. With pfBlockerNG plugin I was able to block 90+% of those from even attempting a connection.
I would really like this as well. While the Sophos threat feeds are fine, they're naturally going to provide less protection than sophos + sans + firehol + dshield + <insert your favorite blacklist here>...
Similarly, having a whitelist option for all the IPs and domains that are listed in the Office 365 or Azure feeds would prevent accidentally blocking critical systems.
Support for dynamic blocklist is standard with a lot of Sophos competitors. I can safely say that if it's not a feature when your current contract is up, we'll be shopping. That's a shame, because we are otherwise very happy with our Sophos devices.
This is a near must for any IDS\IPS device.
I copy paste the request from UTM but I will answer your questions
1. Ad blocking for example, one source of lists could be this one https://iplists.firehol.org/
2. I won't comment about the FP of ATP because the ones I have experience aren't really relevant, like safe torrent trackers.
The purpose is to you more lists in additions to ATP, for me FP's aren't a problem.
3. Both DNSBL and IP
I know you can add lists manually and in the XGformat but I was looking for something that autoupdate, lists from different sources, something like pfBlockerNG
AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) commented
Thanks for your idea. I'd like to ask a few questions to help understand the requirement.
1. Which of those lists do you find most useful for the different situations?
2. Do you have more specifics about why you think Sophos's ATP is prone to false positives? This comment also implies that you've found community blacklists to be more reliable? Do you have data to back that up? Or is it simply that you're looking to use lists that are beyond the scope of ATP?
3. You filed this request against Web protection. Are you looking just to block Web traffic with these blacklists? Or do you really want to use the lists to block traffic to specific IP addresses or ranges at the Firewall level?
Note also that Custom Categories under Web Protection provides some abilities to consume blacklists in the right format. This would normally be a URL/Hostname based format rather than IP blacklists.
Support the use of Blacklists/blocklists. Note that this feature was requested at link below and apparently Sophos thought that ATP would satisfy the need, however it does not provided the requested functionality, Therefore I am re-posting this as a new suggestion.
The old suggestion was marked as implemented by the ATP feature; however ATP is not what was wanted and generates too many false alerts. This is the prior feature request: http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1982075-network-security-block-malicious-botnet-bad-ip-s
Plain and simple: We want support for blocklists. Such as those found here: https://www.iblocklist.com. I would also like to specify a blocklist per network. So for example my Guest Network could gets one set of blocklists, and my Data LAN network would get a different set, and specific Host PCs could get other sets.
I'd love to see this. http://iplists.firehol.org is another good site with public feeds of IPs that you might want to block on your network.