karsayor 8 Posted August 4, 2023 Share Posted August 4, 2023 Hello I had to set some exclusions for IDS to prevent the logs to overfill, I disable the logging of these events : Until a few month I had the Threat Name on EsetIpBlacklist now it seems there is an EsetIpBlacklis.B, EsetIpBlacklis.A, ...? Is there any list of all possible threat EsetIpBlacklist* names ? Can we use a wildcard in threat name to catch them all ? Thank you ! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted August 4, 2023 Administrators Share Posted August 4, 2023 EsetIPBlacklist.B are blocks after sending some data. It is not a good idea to create exceptions and let the server be attacked. Instead I would it behind a firewall and permit only the desired communication to reach the server. Link to comment Share on other sites More sharing options...
karsayor 8 Posted August 4, 2023 Author Share Posted August 4, 2023 I did not create an exclusion to allow this trafic, only for it not to create a log because it fills everything. Block is yes, notify and log is no. I'm not sure I understand, EsetIpBlacklist.A is when blocked before trafic sent, EsetIpBlacklist.B is when blocked after trafic sent ? So I only need to exclude log for EsetIpBlacklist.A and EsetIpBlacklist.B, since there are no other EsetIpBlacklist.C nor the old EsetIpBlacklist ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted August 4, 2023 Administrators Share Posted August 4, 2023 Hiding and ignoring the notifications about blocked connections is not a good practice, I've come across several cases when doing so eventually resulted in a successful attack and files on the machine got encrypted. Ideally no attack attempts should be filtered before reaching the server and should not be detected and logged by ESET. You can take the risk and not log the blocked communication. There are currently no other similar detections, such as EsetIpBlacklist.C, EsetIpBlacklist.D, etc. Link to comment Share on other sites More sharing options...
karsayor 8 Posted August 9, 2023 Author Share Posted August 9, 2023 I agree with you, unfortunately the perimetric defenses we have seem to have some other blacklists than ESET is using. Can we get the list of ESETIPBlacklists somewhere so we can add them to our firewall dynamically ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted August 9, 2023 Administrators Share Posted August 9, 2023 There are only EsetIpBlacklist.A and EsetIpBlacklist.B detections. Link to comment Share on other sites More sharing options...
karsayor 8 Posted August 9, 2023 Author Share Posted August 9, 2023 I understand this, I was meaning having access to the source (Read) to those lists of blocked IP addresses to add them to our perimetric firewall to be blocked before the get to the server Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted August 9, 2023 Administrators Share Posted August 9, 2023 Please check out our ESET Threat Intelligence offering: https://www.eset.com/int/business/services/threat-intelligence/ ETI provides various feeds in JSON and STIX2 format: Malicious files feed Domain feed Botnet feed URL feed APT feed IP feed For more information on pricing please contact your local authorized ESET partner. Link to comment Share on other sites More sharing options...
Recommended Posts