Solved IP Fetch + LOG/HARVEST + BAN

Status
Not open for further replies.
Nico@FMA

Nico@FMA

Level 27
Thread author
Verified
May 11, 2013
1,687
Hello Guys,

I am looking for a IP Harvester, specifically to build a rogue IP list based upon Symantec Endpoint Protection log.
Right now SEP is collecting IP addresses based upon connection and system rules.
Some are flagged as allowed because of legit protocols and some are blocked by the rule set as rogue attempts.
Now some of these IP addresses are truly bad as I have checked some of the Severity 10 alerts.
Given the findings I would very much like a program that can fetch these S-10 blocks and add them to a separate txt file so I can use that file as a system wide blacklist.
* And NO I am not going trough over a million log entries to scan by hand.

Even a script would do fine... but it needs the ability to run non intrusive for a unlimited time.
So any suggestions idea's is very much welcome.

Cheers
 
Sort by date Sort by votes
D

Deleted member 178

did you try some log viewers (Log Expert, Viewing Log Files, etc...) maybe in some of them you can create some commands (like retrieving & opening SEP logs) and customs filters ( find S-10 blocks).
 
Upvote 0
Nico@FMA

Nico@FMA

Level 27
Thread author
Verified
May 11, 2013
1,687
Umbra Polaris said:
did you try some log viewers (Log Expert, Viewing Log Files, etc...) maybe in some of them you can create some commands (like retrieving & opening SEP logs) and customs filters ( find S-10 blocks).
Click to expand...

Yes I did try most of them and they are nice for viewing but they cannot fetch and extract the IP addresses using a filter to exclude lower Severity alerts. Because I am really only interested in S-10 because anything below S-10 is just generic blocks based upon non intrusive protocols and unused service ports.
On top of that S-10 alerts are beyond the reasonable doubt malware, hacking or malicious alerts.
Now one of the main problems I encounter when I use the mentioned log viewers is that they still are not capable to identify malicious from just static communication. So they generate pretty much the same logs as SEP does.

Also SEP does add some internal code to the logs that correspond to the internal references for individual rules and policies, and most of those log viewers seem to have a problem with that as well.
Now as I mentioned I do not need all the info regarding the blocks listed in the FW-Log I just need the extract the IP addresses and drop them into a new text file which I can import into the main server and have them hard blocked.
Usually SEP manager would be capable to do that, but I am not happy with the individual rules created trough out the network there are just to many, so I want to make one rule based upon a IP blacklist that instantly bans all of them.
To do that I need a script or program that can do that for me.
As I said there are a few million alerts in the logbook and there is no way I am going to fetch them by hand.
7 days ago I did flush all the logs, and right now I am looking at 2 million alerts.
So as you probably figured the network is heaving LOTS of traffic outgoing but specially incoming and I am exactly interested in those malicious alerts towards the network.

Obviously I could just let SEP do what it does, because its doing a good job, so far since the last maintenance revision of the rule set it did block over 30k malicious intrusion attempts including DDOS and targeted P-Scans and injections.
And that's just based over 2 weeks.
But because our team does see a increase of rogue traffic and more attacks we would like to try something, new while running SEP clients, SEP Server and SEP manager.

I hope this explains a bit.
Cheers
 
Upvote 0
D

Deleted member 178

after your precisions, i think you need a personalized script/program , maybe some members here can do for you.
 
Upvote 0
D

Deleted member 178

maybe you should contact Dubseven here (the author of Tiranium AV), i think he may be able to write you a script for it ^^
 
Upvote 0
Nico@FMA

Nico@FMA

Level 27
Thread author
Verified
May 11, 2013
1,687
Umbra Polaris said:
maybe you should contact Dubseven here (the author of Tiranium AV), i think he may be able to write you a script for it ^^
Click to expand...

Yeah I might do that, I am pretty good with scripts myself, and I did try something but its not working as I would like.
So anyone with golden script fingers... go crazy.
 
Upvote 0
Status
Not open for further replies.

Similar threads

Victor M
    • +Reputation
    • Like
    • Hundred Points
  • Suggestion
Setup Idea Default Deny Windows Firewall setup How To
Replies
7
Views
2,543
PC Setup Ideas
Victor M
Victor M
SpyNetGirl
    • Like
    • +Reputation
    • Thanks
Serious Discussion Cloudflare is now powering Microsoft Edge Secure Network
Replies
16
Views
1,433
VPN and DNS
SeriousHoax
SeriousHoax
vtqhtr413
    • Like
    • +Reputation
    • Applause
Hot Take VPN privacy: more than 70% of providers are breaching GDPR
Replies
10
Views
1,013
VPN and DNS
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top