Skip to main content
Version: 2.10.1

Configuring Custom Threat List

Custom Threat List is a lookup database with the following fields:

  • IP address
  • List name
  • Reputation

Where

  • IP address is provided by a threat list vendor or, for lists with malicious domain names (currently supported from AlienVault OTX), determined by NFO using reverse-DNS lookup
  • List name is the name of the list specified in configuration
  • Reputation is provided by a threat list vendor or, for lists with malicious domain names (currently supported from AlienVault OTX), set by NFO using malicious domain name provided by the list vendor

EDFN Agent Configurations - Settings​

Click on Security Threat Feeds IP addresses for 10062.

On this screen you can configure the following parameters:

Cron Schedule​

All threat lists are updated on cron schedule set here.

Default Reputation​

If Reputation is not provided by a threat list vendot, you can set default string here.

note

The following fields are used for configuration with AlienVault OTX

Ignore Invalid Feeds​

If set to 1, AlienVault feeds not containing IP addresses or domain names will be ignored and not imported

OTX Provider URL​

AlienVault OTX URL. Default is https://otx.alienvault.com

OTX API key​

Your OTX API for OTX Pulses subscription.

important

All Pulses in your subscription will be imported!

OTX Pulses per Request​

Set how manu pulses to import in one iterration. Default is 10.

Enable DNS lookup for OTX Domain indicators​

If enabled, NFO will issue reverse DNS lookup to get IP address of malicious domains. Default is 0 (disabled)

EDFN Agent Configurations - Threat Feeds​

Select the next tab and configure threat feeds:

You can add as many feeds as you need by specifying the following:

  • List Name
  • Feed file/URL
  • Pattern

Where

  • List name is the name of the list, reported in threat_list_name field
  • Feed file/URL is a pointer to file or URL
  • Pattern is a regex expression to extract IP address and Reputation fields from the list

You can use Table editor mode or CSV. Here is an example from above in CSV format:

Emerging-Threats,https://rules.emergingthreats.net/blockrules/emerging-botcc.rules,"(?<ip>\d{1,3}(\.\d{1,3}){3})"
Brute-Force,file:///opt/flowintegrator/threat-lists/brute-force.txt,"^(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) *#(?<reputation>.*)$"

Verifying Configuration​

When configuration is completed, save it, then open again and press green Run now button. You should see the list and timestamp updated:

Click on Custom Threat list to view the list. You can also download it from here: