Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Reputation Feed (RepFeed)

    • Updated:
    • 24 Aug 2017
    • Product/Version:
    • TippingPoint SMS All
    • TippingPoint Virtual SMS
    • Platform:
Summary
1. Overview:

Threat Digital Vaccine (ThreatDV), a combination of the Reputation Feed (formerly known as RepDV) and a malware filter package. Reputation Feed (RepFeed) is a subscription-based service that identifies and delivers suspect IP IPv4, IPv6 and Domain Name System (DNS) security intelligence feeds from a multi-vendor, global reputation database so that customers can actively enforce and manage reputation security policies using the TREND MICRO TippingPoint Next Generation Intrusion Prevention System (NGIPS) Platform.

The addresses are tagged with reputation, geographic, and other identifiers for ready and easy security policy creation and management. The Reputation Feed provides the addresses and tags multiple times a day (two hours on average) in the same manner as standard Digital Vaccines. You can choose to download addresses into the Reputation database automatically or manually.

Details
Public
2. Standalone IPS systems and RepFeed

Automatic RepFeed updates require a Security Management System (SMS). Only SMS controlled IPSs will be updated automatically, standalone IPS devices require a manual update of the RepFeed from TMC. In order to install RepFeed on standalone IPS, the IPS license package must reflect the fact that the IPS is authorized to install RepFeed. If the customer has purchased the RepFeed service, the license package associated with his device will be updated to reflect the RepFeed authorization. However, since a standalone IPS, does not update the License Package or the RepFeed automatically, the customer must access TMC and download the files and perform a manual update.

3. What IPS devices can use RepFeed?

Only the IPS devices process RepFeed data, the SMS downloads the data from TMC and distributes to the IPS device. The following devices can process the RepFeed data;

  • S-Series (S10, S110, S330)
  • N-Platform (660N, 1400N, 2500N, 5100N, 6100N)
  • NX-Platform (2600NX, 5200NX, 6200NX, 7100NX, 7500NX)
  • Next Generation Firewall (S1050F, S3010F, S3020F, S8005F, S8010F)
  • Threat Protection System (vTPS, 440T, 2200T)
4. What RepFeed Version Should I use?

Just as Digital Vaccines are created in different version numbers for different TOS versions, so are RepFeed' s different.

If the IPS is controlled by an SMS:

  • RepFeed v1.3.0 is for SMS v3.2+

If the IPS is a standalone IPS

  • RepFeed v1.2.1
5. What are RepFeed filters used for?

RepFeed filters are most commonly used for the following reasons:

  • Block access to botnet command and control sites
  • Block access to known phishing sites
  • Block DDoS attacks from compromised botnet hosts
  • Block inbound access from "known bad" IP addresses.
  • Block outbound access to "known bad" sites.
  • Block Spam and phishing e-mails
  • Block Web application attacks from compromised botnet hosts
  • Prevent botnet Trojan downloads
  • Prevent malware, spyware and worm downloads
  • Restrict or alert on inbound network connections based on country of origin
  • Restrict or alert on outbound network connections based on country of destination
6. What does the RepFeed score number mean?

The score number assigned to each RepFeed entry signifies how much of a threat the IP address or DNS entry is thought to be. Data is gathered from various sources, it is analyzed and each IP address and/or DNS entry is assigned a score.

RepFeed Scoring Numbers
ScoreExplanation
80-100These IP addresses are blocked by default. DVLabs highly recommends you block all traffic from these IP addresses.
60-79These IP addresses known to be somewhat malicious, but DVLabs may not have enough corroborating information to make a stronger recommendation towards enabling them.
40-59These IP addresses likely to be malicious; however TREND MICRO TippingPoint has not seen enough information to assign them a score of 60.
20-39These IP addresses mostly non-malicious in nature, but may have generated undesirable traffic such as SPAM or high levels of P2P traffic.
0-19These IP addresses generally do not represent any threat, but may have generated slightly suspicious traffic. DVLabs does not recommend you enabled these IP addresses.

7. What are the different RepFeed exploit categories?

RepFeed Exploit Category
ExploitExplanation
Blended ThreatIP Address or DNS Name known to attack using several different attack vectors. An example of hosts which fall into this category could be a host which is infected with slammer, and is also hosting Malware.
BotnetIP Address or DNS Name known to participate as a Botnet Command and Control device. Many newer botnets communicate with nodes in a Peer to Peer fashion. In such cases the RepFeed may contain the individual nodes in the botnet.
MalwareIP Address or DNS Name known to be a distribution point for malware on the internet. Websites hosting malicious software are the most common hosts in this category.
MiscellaneousIP Address or DNS Name does not fit into any category but are known to be malicious.
Misuse and AbuseIP Address or DNS Name known to misuse resources. Hosts using click fraud, or sites misrepresenting themselves might fall into this category.
MobileIP Address or DNS Name known to host malicious/suspicious mobile applications or participate in CnC-related communication with infected mobile devices.
Network WormIP Address or DNS Name known to be infected with a network worm. Hosts infected with SQL Slammer/code red fall into this category
P2PIP Address known to be a central node for a Peer 2 Peer protocol.
PhishingIP Address or DNS Name known to have executed multiple Phishing attacks.
SpamIP Address or DNS Name known to be sending very large amounts of verified Spam traffic. This entry only contains devices sending very large amounts of spam.
SpywareIP Address or DNS Name known to be hosting significant amounts of Spyware. Spyware such as "Hotbar" and "wildtangent" fall into this category
TOR ExitIP Address or DNS Name known to be a node in an anonymous network, a gateway where encrypted Tor traffic communicates with the Internet. This tag consists of both published and unpublished Tor nodes.
Web Application Attackers IP Address or DNS Name known to attack using attacks against vulnerabilities in web application vulnerabilities. Attackers using SQL Injection, PHP File Include, and Cross Site Scripting all fall into these categories.
WormThese entries are known to be actively distribution self-replicating code, otherwise known as a network worm.

 

8. From where does the DV team gather RepFeed entries?

The RepFeed data is gathered from the following organizations:

a.DV Labshttp://www.trendmicro.com/go/dvlabs
b.Emerging Threatshttp://emergingthreats.net/
c.eSofthttp://www.esoft.com
d.Malware Domain Listhttp://www.malwaredomainlist.com
e.Norse DarkListhttp://www.norse-corp.com/
f.SANS Institutehttp://www.sans.org
g.Sunbelt Border Patrol Listhttp://sunbeltsecurity.com
h.WebRoothttp://www.webroot.com

 

The DV Labs team consolidates the data received from the various sources and prepares the same for distribution. The RepFeed packages are then posted to the Threat Management Center (TMC) website from which the Security Management System (SMS) downloads the packages for distribution to the Intrusion Prevention System (IPS).

User-added image

 

9. Can RepFeed entries be deleted or modified?

The simple answer is no, RepFeed database entries provided by the RepFeed service are read only and as such cannot be modified, only User Provided Entries can be modified. If you find that an IP address or DNS entry is being reported as malicious and you know that this information is incorrect, you can submit a correction by contacting the Trend Micro Technical Assistance Center (TAC).

Workaround: While you are not able to delete or modify a RepFeed service entry, you can create a "whitelist" or user provided entries that will in effect cancel out the entry that has been reported as malicious. User Provided Entries take precedence over RepFeed entries.

 

10.What are Reputation Exceptions

At times, you may need to have RepFeed filters focus on a specific set of IP addresses according to the needs of your network. To restrict all Reputation filters to run against specific IP addresses or Domain Name, you create an exception. Profile exceptions affect all Reputation filters.

 

11.What are Tag Categories

Tag categories define the types of tags that may be used to tag reputation database entries. A tag class can be created manually or by the Reputation DV. Tag categories created by the reputation service are read-only and may not be modified.

All tag categories have the following attributes:

Tag Categories Attributes
ColumnDescription
NameThe name to identify this tag category. The specified name must be unique.
TypeThe type of data that the tag category contains
  • Text - arbitrary text strings
  • List - list of items
  • Date - dates and times
  • Yes/No - yes or no value
  • Numeric Range - range of whole numbers
DescriptionA brief description (up to 255 characters) indicating how the tag category are to be used.
 
12. How to:

This section provides information on configuring Reputation Settings, how to create RepFeed filters, Exceptions and whitelist.

Notes and Points to Remember:

  • A Reputation filter associates an action set with one or more of entries in the Reputation Database. Possible actions include: block, permit, notify, and trace. When the profile containing the Reputation filter is distributed to a device, the specified actions are applied to traffic that matches the addresses of tagged entries in the Reputation Database that have been screened using specified tag criteria.
  • Creating a Reputation Filter consists of two steps. In the first step, you define the general settings: name for the filter, the state, locked status, action set, and the type of Reputation Database entries. In the second step, you specify the tag criteria to use when matching entries in the Reputation Database
  • In general, filters with a "Permit + Notify" action set should be below filters with a "Block + Notify" action set, unless the filter is being used as part of a white list
  • When you assign two criteria to a reputation filter, both criteria must be met. Example, if you assign the criteria Malware/Botnet and Reputation DV Score of 80 greater than or equal to 80, then only sites with a reported Botnet and a score of 80 or greater will trigger this filter
  • If no RepFeed Score option is included in the filter, then all sites that meet the criteria will be blocked. In the example above all site with Botnet will be blocker regardless of the site score
  • After creating Reputation Filters, you must distribute the profile to one or more devices in order to fully activate the feature. If you unmanage a device and then re-manage the same device, you must redistribute all the profiles to all the segments for reputation distribution to start working again.
  • The Reputation Filters Table displays the available Reputation filters in order of precedence so as to resolve overlapping criteria.

12.1. How to: Edit Reputation Settings

Reputation Settings apply to all reputation filters in a profile. The Filter Matching Address setting specifies which address of an incoming packet is used when testing for a filter match. The Lookup Packet Handling setting specifies what the device should do with packets that arrive during a reputation lookup. Depending on your version of SMS the steps to edit the Reputation settings will differ.

  1. From the Profiles area of the SMS, expand an IPS profile in the left navigational tree.
  2. For SMS 3.5/3.6
    1. Expand the Infrastructure Protection node, and select Reputation.
    2. On the Reputation Settings screen, click Edit.
  3. For SMS 4.0 and higher
    1. Expand the User Defined Filters node, and select Reputation/Geo.
    2. On the Reputation Filters and Settings screen, click Edit Settings.
  4. The Reputation Settings dialog box displays.

User-added image

  1. Do one of the following:
    • Select Locked to lock the reputation settings.
    • Clear Locked to unlock reputation settings.
  2. In the Filter Matching Address area, select an option to specify addresses to use for filter comparisons:
    • Both source and destination addresses
    • Source address only
    • Destination address only
  3. In the Lookup Packet Handling area, select an option to specify how incoming packets are handled during a lookup:
    • Permit packets
    • Block packets

NOTE: If you select to block packets during lookup, you can block legitimate sites during the lookup.

  1. Click OK to save your settings

 

12.2. How to: Add/Edit a Reputation Tag Category

  1. Navigate to the Profiles > Reputation Database screen and select the Tag Categories tab.
  2. To create a new tag category, click Add.
  3. To edit and existing tag, select a tag from the table and click Edit or right-click the selected tag entry and choose Edit.
  4. In the General area, complete the following information:
    • Name - a unique name that identifies the tag category.
    • Type - type of data (Text, List, Date, Yes/No, Number Range) that the tag category contains. Tag category types cannot be edited.
    • Description - a brief description (up to 255 characters) indicating how the tag category are to be used.
  5. In the Settings area, enter the appropriate information for the type of tag category you selected.
  6. Click OK.

 

12.3. How to: Delete a Reputation Tag Category

  1. Navigate to the Profiles > Reputation Database screen and select the Tag Categories tab.
  2. From the Tag Categories table, select an entry and click Delete.

 

12.4. How to: Create/Edit a RepFeed filter

  1. From the Profiles area to the SMS, expand an IPS profile in the left navigational tree.
  2. Expand the User Defined Filters node, and select Reputation/Geo.
  3. Perform one of the following tasks:
    • To create a new filter, click New.
    • To edit an existing filter, select a filter in the list and click Edit. The Reputation Filter wizard displays.

User-added image

  1. On the General Settings screen, specify the following information:
    • Locked - Select Locked to lock the filter for editing.
    • Name - Enter a filter name.
    • State - Select Enabled to enable the filter.
    • Action Set - Select the appropriate block or permit action from the drop-down box
    • Comments - Provide a brief description or comment about the filter.
  2. In the navigation pane of the wizard, select Entry Selection Criteria and specify the following items:
    • Entry Criteria - Select the type of address entries (IPv4, IPv6, or DNS Domains) from the Reputation Database to include in the filter.
    • Tag Criteria - Select the type of tag entries (tagged or untagged) from the Reputation Database to include in the filter and then select the check box next to any tag category you want to include.

NOTE: In the "Entry Selection Criteria" you can choose IPv4, IPv6, DNS Domain, or any combination. DNS Domain will only block the DNS lookup, so if the lookup does not go through the IPS, then it will not be blocked. You can also select "Includes Tagged Value", "Includes Untagged Value" or both.

Tag Criteria

  • Untagged Entries - If checked will include all the untagged entries in the reputation database.
  • Tagged Entries - If checked will include the tagged entries specified by the tag criteria given in the section below. If no criterion is provided in the section below this checkbox, then all entries which have at least one tag will be included.

User-added image

  1. Configure a Reputation DV Score value.

User-added image

  1. Click OK to save the filter and distribute the profile to make it active.

 

12.5. How to: Change the Precedence of a Reputation Filter

  1. Expand the User Defined Filters node, and select Reputation/Geo.
  2. In the Reputation Filters list, select an entry and then click the appropriate button:
    • Click Move Up to move the highlighted entry up.
    • Click Move Down to move the highlighted entry down.
  3. The new order is automatically saved.

 

12.6. How to: Create or Edit a Reputation Domain Name Exception

  1. On the Profiles navigation pane, expand the node for a specific profile, and click Profile Settings. The Profile Settings screen displays.
  2. Select the Reputation Exceptions tab, and do one of the following:
    • In the Reputation Domain Name Exceptions section, click Add to create a new exception.
    • In the Reputation Domain Name Exceptions section, select an entry and click Edit to modify an existing exception.
    • The Create Reputation Domain Name Exception dialog box displays.
  3. In the Domain Name field, provide or modify the domain name for the exception.
  4. Select Locked if you want to lock the settings.
  5. Click OK to save.

 

12.7. How to: Create or Edit a Reputation IP Address Exception

  1. On the Profiles navigation pane, expand the node for a specific profile, and click Profile Settings. The Profile Settings screen displays.
  2. Select the Reputation Exceptions tab, and do one of the following:
    • In the Reputation IP Address Exceptions section, click Add to create a new exception.
    • In the Reputation IP Address Exceptions section, select an entry and click Edit to modify an existing exception.
    • The Create/Edit Address Pair dialog box displays.
  3. In the Name field, provide or modify the name for the restriction.
  4. In the Source IP Address field, do one of the following:
    • Select Any IP to apply the exception to all traffic sources.
    • Select IP Address, and provide or select an IP address to apply the exception to that specific source.
  5. In the Destination IP Address field, enter an IP address and do one of the following:
    • Select Any IP to apply the exception to all traffic destinations.
    • Select IP Address, and specify an IP address to apply the exception to that specific destination.
  6. Select Locked if you want to lock the settings.
  7. Click OK to save.

 

12.8. How to: Create a Whitelist

In order to create a "whitelist" you will have to perform the following steps;

  • Create a Tag Category - Tag categories define the types of tags that may be used to tag reputation database entries. This kind of metadata helps describe an item and allows it to be found again by performing a search.
  • Create a User Provided Entry - User provided entries contain the IP address or DNS domain name of the offending system.
  • Create a Reputation Filter - A Reputation Filter associates an action set with one or more of entries in the Reputation Database.

A. Create a Tag Category

  1. Log in to the SMS from a client and on the top Navigation menu click Profiles.
  2. On the left Navigation menu select Reputation Database. The Reputation Database screen displays.
  3. On the Reputation Database screen select the Tag Categories tab.
  4. On the Tag Categories tab click Add. The Create Tag Category screen displays.
  5. In the General section enter the flowing information;
    • Name: Enter a name for the category. (e.g. whitelist)
    • Type: Select Yes/No from the drop-down menu.
    • Description: Enter a description for the category.
  6. On the Create Tag Category screen, click OK to close and return to the Tag Categories tab.

B. Create User Provided Entry

  1. On the left navigation menu select User Provided Entries. The User Provided Entries screen displays.
  2. In the User Provided Entries screen, click Add. The Create Reputation Entry screen displays.
  3. Select IP Address or DNS Domain depending on the entry you wish to whitelist.
  4. In the Tag area, select the Tag Category created in the previous procedure (e.g. whitelist) and select Yes from the options provided.
  5. Click OK when finished.

C. Create a Reputation Filter

  1. On the left navigation menu select the "Profile" that you wish to modify.
  2. On the "Profile" select User Defined Filters>Reputation / Geo. The Reputation Settings screen displays.
  3. In the Reputation Filters section, select New Reputation. The Create Reputation Filter screen displays.
  4. In the General Settings area under Filter Info enter a Name for the filter.
  5. In the Action area under Action Set select Permit+Notify from the drop-down menu.
  6. Select the Entry Selection Criteria tab, and in the Tag area:
    • Select the Tag Category previously created (e.g. whitelist).
    • Un-check the Reputation DV Score tag.
  7. Distribute the profile by selecting Distribute.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000087691
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.