Views:
Standalone IPS systems and RepFeed

Automatic RepFeed updates require a Security Management System (SMS). Only SMS controlled devices will be updated automatically, standalone devices require a manual update of the RepFeed from TMC. To install RepFeed on standalone devices, the device license package must reflect that the TPS is authorized to install RepFeed. If the customer has purchased the RepFeed service, the license package associated with his device will be updated to reflect the RepFeed authorization. However, since a standalone TPS does not automatically update the License Package or the RepFeed, the customer must access TMC, download the files, and perform a manual update.
 

What TippingPoint devices can use RepFeed?

The SMS downloads the data from TMC and distributes it to the TPS device. The following devices can process the RepFeed data;

  • Threat Protection System (vTPS, 440T, 2200T, 1100TX, 5500TX, 8200TX, 8400TX, 8600TXE, 9200TXE)
What RepFeed Version Should I use?
  • SMS managed devices: v1.3.0
  • Standalone device: v1.2.1
What are RepFeed filters used for?

RepFeed filters are most commonly used for the following reasons:

  • Block access to botnet command and control sites
  • Block access to known phishing sites
  • Block DDoS attacks from compromised botnet hosts
  • Block inbound access from "known bad" IP addresses.
  • Block outbound access to "known bad" sites.
  • Block Spam and phishing e-mails
  • Block Web application attacks from compromised botnet hosts
  • Prevent botnet Trojan downloads
  • Prevent malware, spyware, and worm downloads
  • Restrict or alert on inbound network connections based on country of origin
  • Restrict or alert on outbound network connections based on country of destination
What does the RepFeed score number mean?

The score number assigned to each RepFeed entry signifies how much of a threat the IP address or DNS entry is thought to be. Data is gathered from various sources, analyzed, and assigned a score for each IP address and/or DNS entry.

RepFeed Scoring Numbers
Score Explanation
80-100 These IP addresses are blocked by default. DVLabs highly recommends you block all traffic from these IP addresses.
60-79 These IP addresses are known to be somewhat malicious, but DVLabs may not have enough corroborating information to strongly recommend enabling them.
40-59 These IP addresses are likely malicious; however, Trend Micro TippingPoint has not seen enough information to assign them a score of 60.
20-39 These IP addresses are mostly non-malicious but may have generated undesirable traffic such as SPAM or high levels of P2P traffic.
0-19 These IP addresses generally do not represent any threat but may have generated slightly suspicious traffic. DVLabs does not recommend that you enable these IP addresses.

 

What are the different RepFeed exploit categories?
RepFeed Exploit Category
Exploit Explanation
Blended Threat IP Address or DNS Name is known to attack using several different attack vectors. An example of hosts that fall into this category could be a host infected with slammer and also hosting Malware.
Botnet IP Address or DNS Name is known to participate as a Botnet Command and Control device. Many newer botnets communicate with nodes in a peer-to-peer fashion. In such cases, the RepFeed may contain the individual nodes in the botnet.
Malware IP Addresses or DNS Names are known to be distribution points for malware on the Internet. Websites hosting malicious software are the most common hosts in this category.
Miscellaneous IP Address or DNS Name does not fit any category but is known to be malicious.
Misuse and Abuse IP Address or DNS Name known to misuse resources. Hosts using click fraud, or sites misrepresenting themselves might fall into this category.
Mobile An IP Address or DNS Name is known to host malicious or suspicious mobile applications or participate in CnC-related communication with infected mobile devices.
Network Worm IP Address or DNS Name is known to be infected with a network worm. Hosts infected with SQL Slammer/code red fall into this category
P2P IP Address is known to be a central node for a Peer 2 Peer protocol.
Phishing IP Address or DNS Name is known to have executed multiple Phishing attacks.
Spam IP Address or DNS Name is known to send large amounts of verified Spam traffic. This entry only contains devices sending very large amounts of spam.
Spyware IP Address or DNS Name is known to be hosting significant amounts of Spyware. Spyware such as "Hotbar" and "WildTangent" fall into this category
TOR Exit IP Address or DNS Name is known to be a node in an anonymous network, a gateway where encrypted Tor traffic communicates with the Internet. This tag consists of both published and unpublished Tor nodes.
Web Application Attackers IP Address or DNS Name is known to attack using attacks against vulnerabilities in web application vulnerabilities. Attackers using SQL Injection, PHP File Include, and Cross-Site Scripting all fall into these categories.
Worm These entries are known to actively distribute self-replicating code, otherwise known as a network worm.

 

From where does the DV team gather RepFeed entries?

The RepFeed data is gathered from the following organizations:

CollecTor Project collector.torproject.org
Emerging Threats http://emergingthreats.net
SANS Institute https://isc.sans.edu
VIPRE Security www.vipre.com
WebRoot http://www.webroot.com
Zvelo (eSoft) http://www.zvelo.com

The reputation team consolidates the data received from various sources and prepares it for distribution. The RepFeed packages are then posted to the Threat Management Center (TMC) website, from which the Security Management System (SMS) downloads them for distribution.

Reputation Feed Chart

Click the image to enlarge.

9. Can RepFeed entries be deleted or modified?

The simple answer is no, RepFeed database entries provided by the RepFeed service are read-only and cannot be modified, only User-Provided Entries can be modified. If you find that an IP address or DNS entry is being reported as malicious and know this information is incorrect, you can submit a correction by contacting the Trend Micro Technical Assistance Center (TAC).

Workaround: While you are not able to delete or modify a RepFeed service entry, you can create an "allow list" or user-provided entries that will, in effect, cancel out the entry that has been reported as malicious. User-provided entries take precedence over RepFeed entries.

What are Reputation Exceptions

At times, you may need to have RepFeed filters focus on a specific set of IP addresses according to the needs of your network. To restrict all Reputation filters to run against specific IP addresses or Domain Name, you create an exception. Profile exceptions affect all Reputation filters.

What are Tag Categories

Tag categories define the types of tags that may be used to tag reputation database entries. A tagged class can be created manually or by the Reputation DV. Tag categories created by the reputation service are read-only and may not be modified.

All tag categories have the following attributes:

Tag Categories Attributes
Column Description
Name The name to identify this tag category. The specified name must be unique.
Type The type of data that the tag category contains
  • Text - arbitrary text strings
  • List - list of items
  • Date - dates and times
  • Yes/No - yes or no value
  • Numeric Range -  a range of whole numbers
Description A brief description (up to 255 characters) indicates how the tag category will be used.



Procedures:

This section provides information on configuring Reputation Settings, how to create RepFeed filters, Exceptions, and allow lists.

Notes and Points to Remember:

  • A Reputation filter associates an action set with one or more entries in the Reputation Database. Possible actions include block, permit, notify, and trace. When the profile containing the Reputation filter is distributed to a device, the specified actions are applied to traffic that matches the addresses of tagged entries in the Reputation Database that have been screened using specified tag criteria.
  • Creating a Reputation Filter consists of two steps. In the first step, you define the general settings: name for the filter, the state, locked status, action set, and the type of Reputation Database entries. In the second step, you specify the tag criteria to use when matching entries in the Reputation Database
  • In general, filters with a "Permit + Notify" action set should be below filters with a "Block + Notify" action set, unless the filter is being used as part of an allow list
  • When you assign two criteria to a reputation filter, both criteria must be met. Example, if you assign the criteria Malware/Botnet and Reputation DV Score of 80 greater than or equal to 80, then only sites with a reported Botnet and a score of 80 or greater will trigger this filter
  • If no RepFeed Score option is included in the filter, then all sites that meet the criteria will be blocked. In the example above all site with Botnet will be blocker regardless of the site score
  • After creating Reputation Filters, you must distribute the profile to one or more devices in order to fully activate the feature. If you unmanage a device and then re-manage the same device, you must redistribute all the profiles to all the segments for reputation distribution to start working again.
  • The Reputation Filters Table displays the available Reputation filters in order of precedence so as to resolve overlapping criteria.

How to: Edit Reputation Settings

Reputation Settings apply to all reputation filters in a profile. The Filter Matching Address setting specifies which address of an incoming packet is used when testing for a filter match. The Lookup Packet Handling setting specifies what the device should do with packets that arrive during a reputation lookup. Depending on your version of SMS the steps to edit the Reputation settings will differ.

  1. Click on Profiles > Inspection Profiles and expand the profile you wish to work with.
  2. Select Reputation/Geo.
  3. On the Filters and Settings screen, click Edit Settings.
  4. The Reputation Settings dialog box displays.
  5. Do one of the following:
    • Select Locked to lock the reputation settings.
    • Clear Locked to unlock reputation settings.
  6. In the Filter Matching Address area, select an option to specify addresses to use for filter comparisons:
    • Both source and destination addresses
    • Source address only
    • Destination address only
  7. In the Lookup Packet Handling area, select an option to specify how incoming packets are handled during a lookup:
    • Permit packets
    • Block packets - If you select to block packets during lookup, you can block legitimate sites during the lookup.
  8. Reputation Enforcement Options - This setting specifies that the DNS filter action is also applied to HTTP requests with matching DNS hostnames.
  9. Click OK to save your settings

How to: Add/Edit a Reputation Tag Category

  1. Navigate to the Profiles > Reputation Database screen and select the Tag Categories tab.
  2. To create a new tag category, click Add.
  3. To edit an existing tag, select a tag from the table and click Edit or right-click the selected tag entry and choose Edit.
  4. In the General area, complete the following information:
    • Name - a unique name that identifies the tag category.
    • Type - a type of data (Text, List, Date, Yes/No, Number Range) that the tag category contains. Tag category types cannot be edited.
    • Description - a brief description (up to 255 characters) indicating how the tag category is to be used.
  5. In the Settings area, enter the appropriate information for the type of tag category you selected.
  6. Click OK.

How to: Delete a Reputation Tag Category

  1. Navigate to the Profiles > Reputation Database screen and select the Tag Categories tab.
  2. From the Tag Categories table, select an entry and click Delete.

How to: Create/Edit a RepFeed filter

  1. From the Profiles > Inspection Profiles expand a profile in the left navigational tree.
  2. Select Reputation/Geo.
  3. Perform one of the following tasks:
    • To create a new filter, click New Reputation.
    • To edit an existing filter, select a filter in the list and click Edit. The Reputation Filter wizard displays.
  4. On the General Settings screen, specify the following information:
    • Locked - Select Locked to lock the filter for editing.
    • Name - Enter a filter name.
    • State - Select Enabled to enable the filter.
    • Action Set - Select the appropriate block or permit action from the drop-down box
    • Comments - Provide a brief description or comment about the filter.
  5. In the navigation pane of the wizard, select Entry Selection Criteria and specify the following items:
    • Entry Criteria - Select the type of address entries (IPv4, IPv6, or DNS Domains) from the Reputation Database to include in the filter.
    • Tag Criteria - Select the type of tag entries (tagged or untagged) from the Reputation Database to include in the filter and then select the checkbox next to any tag category you want to include.
      • NOTE: In the "Entry Selection Criteria" you can choose IPv4, IPv6, DNS Domain, or any combination. DNS Domain will only block the DNS lookup, so if the lookup does not go through the IPS, then it will not be blocked. You can also select "Includes Tagged Value", "Includes Untagged Value" or both.
        • Untagged Entries - If checked will include all the untagged entries in the reputation database.
        • Tagged Entries - If checked will include the tagged entries specified by the tag criteria given in the section below. If no criterion is provided in the section below this checkbox, then all entries which have at least one tag wil
  6. Configure a Reputation DV Score value.
  7. Click OK to save the filter and distribute the profile to make it active.

How to: Change the Precedence of a Reputation Filter

  1. From the Profiles > Inspection Profiles expand a profile in the left navigational tree.
  2. Select Reputation/Geo.
  3. In the Reputation Filters list, select an entry and then click the appropriate button:
    • Click Move Up to move the highlighted entry up.
    • Click Move Down to move the highlighted entry down.
  4. The new order is automatically saved.

How to: Create or Edit a Reputation Domain Name Exception

  1. From the Profiles > Inspection Profiles expand a profile in the left navigational tree.
  2. Select Reputation/Geo.
  3. Select the DNS Exceptions tab, and do one of the following:
    • In the Reputation Domain Name Exceptions section, click Add to create a new exception.
    • In the Reputation Domain Name Exceptions section, select an entry and click Edit to modify an existing exception.
    • The Create Reputation Domain Name Exception dialog box displays.
  4. In the Domain Name field, provide or modify the domain name for the exception.
  5. Select Locked if you want to lock the settings.
  6. Click OK to save.

How to: Create or Edit a Reputation IP Address Exception

  1. From the Profiles > Inspection Profiles expand a profile in the left navigational tree.
  2. Select Reputation/Geo.
  3. Select the IP Exceptions tab, and do one of the following:
    • In the Reputation IP Address Exceptions section, click Add to create a new exception.
    • In the Reputation IP Address Exceptions section, select an entry and click Edit to modify an existing exception.
    • The Create/Edit Address Pair dialog box displays.
  4. In the Name field, provide or modify the name for the restriction.
  5. In the Source IP Address field, do one of the following:
    • Select Any IP to apply the exception to all traffic sources.
    • Select IP Address, and provide or select an IP address to apply the exception to that specific source.
  6. In the Destination IP Address field, enter an IP address and do one of the following:
    • Select Any IP to apply the exception to all traffic destinations.
    • Select IP Address, and specify an IP address to apply the exception to that specific destination.
  7. Select Locked if you want to lock the settings.
  8. Click OK to save.

How to: Create a allow list

In order to create a "allow list" you will have to perform the following steps;

  1. Create a Tag Category - Tag categories define the types of tags that may be used to tag reputation database entries. This kind of metadata helps describe an item and allows it to be found again by performing a search.
  2. Create a User-Provided Entry - User-provided entries contain the IP address or DNS domain name of the offending system.
  3. Create a Reputation Filter - A Reputation Filter associates an action set with one or more entries in the Reputation Database.

Create a Tag Category

  1. From the toolbar, select Profiles
  2. On the left Navigation menu select the Reputation Database. The Reputation Database screen displays.
  3. On the Reputation Database screen select the Tag Categories tab.
  4. On the Tag Categories tab click Add. The Create Tag Category screen displays.
  5. In the General section enter the flowing information;
    • Name: Enter a name for the category. (e.g. allow list)
    • Type: Select Yes/No from the drop-down menu.
    • Description: Enter a description for the category.
  6. On the Create Tag Category screen, click OK to close and return to the Tag Categories tab.

Create User-Provided Entry

  1. On the left navigation menu select User Entries. The User Entry screen displays.
  2. In the User Entries screen, click Add. The Create Reputation Entry screen displays.
  3. Select IP Address, DNS Domain or URL depending on the entry you wish to allow list.
  4. In the Tag area, select the Tag Category created in the previous procedure (e.g. allow list) and select Yes from the options provided. Optionally, you can click the "Add Tag Category" option to create a new TAG.
  5. Click OK when finished.

Create a Reputation Filter

  1. From the toolbar, select Profiles
  2. On the left navigation menu expand Inspection Profiles and select the "Profile" that you wish to modify.
  3. On the "Profile" select Reputation / Geo.
  4. In the Filters and Setting section, select New Reputation. The Create Reputation Filter screen displays.
  5. In the General Settings area under Filter Info enter a Name for the filter.
  6. In the Action area under Action Set select Permit+Notify from the drop-down menu.
  7. Select the Entry Selection Criteria tab, and in the Tag area:
    • Select the Tag Category previously created (e.g. allow list).
    • Un-check the Reputation DV Score tag.
  8. Distribute the profile by selecting Distribute.