Views:

Creating a Blacklist Using Yes/No Tags in TippingPoint Appliances with Reputation Filters

Overview

In TippingPoint appliances, users can enhance network security by creating a blacklist using reputation filters. This involves utilizing Yes/No tags to categorize IP addresses, domains, or URLs based on custom criteria. This article will guide you through the steps to create a custom tag category, add user entries with that category, and set up a reputation filter that utilizes the custom tags with appropriate actions.

Steps to Create a Blacklist Using Yes/No Tags

Follow these steps to create a blacklist using Yes/No tags in TippingPoint appliances:

Step 1: Create a Custom Tag Category

  1. Navigate to the Reputation Database: On the SMS client, navigate to the Profiles tab. Then, in the tree dropdown, find Reputation Database, and find the Tag Categories tab.

  2. Create a New Tag Category:

    • Click on New at the bottom of the page.
    • Enter a name for your tag category (e.g., Blacklist entry), and optionally, a description.
    • Choose the type as Yes/No.
    • Click OK to create the category.

Step 2: Add User Entries with the Custom Tag

  1. Find the User Entries: Navigate to the User Entries under the tree dropdown under Reputation Database.

  2. Add New User Entry:

    • Click on Add.
    • Enter the IP address or domain you wish to tag.
    • In the tagging options, select the custom tag category you created earlier (e.g., Blacklist entry).
    • Assign a Yes or No tag based on the reputation of the entry:
      • Yes Tag: For entries that are known threats.
      • No Tag: For trusted entries that should not be blocked.
    • Click OK to add the entry.

Step 3: Set Up a Reputation Filter Using the Tag Category

  1. Navigate to Reputation Filters: Under the tree dropdown in the Profiles tab, navigate to Profiles > Inspection Profiles > Reputation/Geo.

  2. Create a New Reputation Filter:

    • Click on New Reputation… to begin creating a new reputation filter.
    • Enter a descriptive name for the filter (e.g., Blacklist Filter).

  3. Define Filter Criteria:

    • In the General Settings, choose an Action Set such as Block or Block + Notify (or Permit + Notify for testing purposes).
    • In Entry Selection Criteria, click the checkbox for the new Tag Category created earlier. Click the arrow next to the new Tag Category to drop the window down, and change the criteria to Tag value is Yes.
    • Click OK to save the reputation filter.
    • Click Distribute at the bottom of the page to distribute the configuration to the inspection devices.

Step 4: Monitor and Adjust the Filter

  1. Monitor Events Logs: After applying the filter, periodically review the inspection events under Events > Inspection Events > Reputation Events.

  2. Adjust Filter Settings: If necessary, adjust the filter criteria and tags based on ongoing network assessments and threat intelligence.

Conclusion

By following these steps, you can effectively create a blacklist using Yes/No tags in TippingPoint appliances. This method allows for proactive management of network security by blocking user-defined threats. Regularly review and update your blacklist to adapt to the evolving threat landscape.

Keywords: configure blacklist filters, TippingPoint blacklist, reputation entry, reputation blacklist, reputation filters