Jump to content

EsetIpBlacklist.A, EsetIpBlacklist.B and IDS Exclusions


Recommended Posts

Hello 

I had to set some exclusions for IDS to prevent the logs to overfill, I disable the logging of these events :

image.png.e69859677ee427aa79211fc36dc9468c.png

Until a few month I had the Threat Name on EsetIpBlacklist now it seems there is an EsetIpBlacklis.B, EsetIpBlacklis.A, ...? 

Is there any list of all possible threat EsetIpBlacklist*  names ? Can we use a wildcard in threat name to catch them all ?

Thank you !

Link to comment
Share on other sites

  • Administrators

EsetIPBlacklist.B are blocks after sending some data. It is not a good idea to create exceptions and let the server be attacked. Instead I would it behind a firewall and permit only the desired communication to reach the server.

Link to comment
Share on other sites

I did not create an exclusion to allow this trafic, only for it not to create a log because it fills everything. Block is yes, notify and log is no.

I'm not sure I understand, EsetIpBlacklist.A is when blocked before trafic sent, EsetIpBlacklist.B is when blocked after trafic sent ? 

So I only need to exclude log for EsetIpBlacklist.A and EsetIpBlacklist.B, since there are no other EsetIpBlacklist.C nor the old EsetIpBlacklist ?

Link to comment
Share on other sites

  • Administrators

Hiding and ignoring the notifications about blocked connections is not a good practice, I've come across several cases when doing so eventually resulted in a successful attack and files on the machine got encrypted. Ideally no attack attempts should be filtered before reaching the server and should not be detected and logged by ESET. You can take the risk and not log the blocked communication. There are currently no other similar detections, such as  EsetIpBlacklist.C,  EsetIpBlacklist.D, etc.

Link to comment
Share on other sites

I agree with you, unfortunately the perimetric defenses we have seem to have some other blacklists than ESET is using. Can we get the list of ESETIPBlacklists somewhere so we can add them to our firewall dynamically ?

Link to comment
Share on other sites

I understand this, I was meaning having access to the source (Read) to those lists of blocked IP addresses to add them to our perimetric firewall to be blocked before the get to the server :)

Link to comment
Share on other sites

  • Administrators

Please check out our ESET Threat Intelligence offering: https://www.eset.com/int/business/services/threat-intelligence/

ETI provides various feeds in JSON and STIX2 format:
Malicious files feed
Domain feed
Botnet feed
URL feed
APT feed
IP feed

For more information on pricing please contact your local authorized ESET partner.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...