Reputation filter not working?

Zyxel_Kevin · May 2023

If the types of reputation include "Botnets", the repurtaion filter will block outgoing/incoming traffic.

If the types of reputation doesn't include "Botnets", it only block incoming traffic.

For example:

1)FORWARD is correct because no "Botnets"

May 1 00:51:11 xxxxxxxxxxxx May 1 00:51:12 2023 xxxxxx src="192.168.10.37:53272" dst="37.48.65.155:123" msg="Malicious connection:Phishing,Anonymous Proxies" note="ACCESS FORWARD" user="unknown" devID="xxxxxxxxxx" cat="IP Reputation"

2)BLOCK is correct because there is "Botnets"

May 1 08:25:06 xxxxxxxx May 1 08:25:06 2023 xxxxxx src="192.168.10.21:25121" dst="81.169.145.94:443" msg="Malicious connection:Exploits,BotNets,Phishing" note="ACCESS BLOCK" user="unknown" devID="xxxxxxxxxxxx" cat="IP Reputation"

Thank you

SecuRing · May 2023

OK, thanks.

It would be a good idea to add this information to the documentation.

Just a suggestion for future improvement: add an option that blocks outgoing traffic anyway and/or enhance external block list to add a category (e. g. Botnets).

Zyxel_Kevin · May 2023

Thanks your suggestion. We will evaluate that.

Thank you

SDWinkelman · May 2023

Still looking for a solution - for me, it's almost as if the service was disabled as of 4/22. Same for the other related "Reputation" features (URL/DNS)

I have confirmed that inbound traffic from addresses in the block lists is being passed through and with nothing showing in the logs. I was previously able to see items in the (IP Reputation) log showing the traffic being blocked… but now nothing!

SecuRing · May 2023

Maybe this is a monitoring issue. Device monitoring shows block counts 0/2/0 for reputation filter (IP/DNS/URL; scanned: 39180/19531/9753). However if I look into the logs forwarded to Splunk I see block counts 0/2/4821!

Examples:

May 3 07:25:49 xxxxxxxxxxxx May 3 07:25:49 2023 xxxxxxxxxxxx src="192.168.10.8:50034" dst="192.168.10.1:53" msg="covidid.com:Malicious Sites" note="DNS REDIRECT" user="unknown" devID="xxxxxxxxxxxx" cat="DNS Filter"

May 3 20:00:02 xxxxxxxxxxxx May 3 20:00:02 2023 xxxxxxxxxxxx src="192.168.10.21:52662" dst="142.250.185.198:443" msg="fls.doubleclick.net:Block List, Rule_name=BLOCK_AD_STATISTICS, SSI=N" note="ACCESS BLOCK" user="unknown" devID="xxxxxxxxxxxx" cat="URL Threat Filter"

SDWinkelman · May 2023

I don't think so - I see absolutely nothing logged (IP Reputation)for traffic from "blocked" addresses (or any external address for that matter), and I can still access resources from them as well, which suggests to me that it is not working.

Zyxel_Kevin · May 2023

Hi @SecuRing ,

I am sorry that I have to correct my statement:

Forward logs should not appear.

1)~~FORWARD is correct because no "Botnets"~~

May 1 00:51:11 xxxxxxxxxxxx May 1 00:51:12 2023 xxxxxx src="192.168.10.37:53272" dst="37.48.65.155:123" msg="Malicious connection:Phishing,Anonymous Proxies" note="ACCESS FORWARD" user="unknown" devID="xxxxxxxxxx" cat="IP Reputation"

But the issue cannot be reproduced in my side. Forward logs doesn't exist when I accessed 37.48.65.155. Could you send the diag-info by private message ?

Hi @SDWinkelman ,

Could you share your diag-info by private ?

Thank you

SecuRing · May 2023

diag-info sent.

Reputation filter not working?

All Replies

Categories

Security Help Center