Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 7716 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I know if IPS blocks a specific malware? Can I add my own rule?

MateuszKordaszewski

Hello all,

 

Do you know if Sophos will protect our network from the APT10 Operation Cloud Hopper Malware threat ? (link points to pdf document about the malware)

https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwjZs_udk9vUAhWF0RoKHbxIDqoQFggxMAI&url=https%3A%2F%2Fwww.pwc.co.uk%2Fcyber-security%2Fpdf%2Fcloud-hopper-report-final-v4.pdf&usg=AFQjCNFqcbJb-nERBZuRD0izNuV7uve6KA

And second question, regardless of the first one, is it possible to create a custom IPS rule to look for DNS requests trying to resolve one of the domains in the list below ? (another pdf document)

https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwjZs_udk9vUAhWF0RoKHbxIDqoQFggqMAE&url=https%3A%2F%2Fwww.pwc.co.uk%2Fcyber-security%2Fpdf%2Fcloud-hopper-indicators-of-compromise-v3.pdf&usg=AFQjCNGDhRLQeNfRdtk0zEpQvkvir-I7pw

 

Best Regards,



This thread was automatically locked due to age.
  • 0

    Hi, Mateusz, and welcome to the UTM Community!

    Does V9 IPS Rules answer your question?  It's not practical to create your own Snort rules in the UTM.

    Cheer - Bob
    PS I've edited the title of your question and added a tag to make it easier for people to benefit from your thread.  Don't hesitate to change it back if you don't like my changes.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

    Thanks for the list but unfortunately I cannot find the information on this specific malware I am interested in. Are there any other lists (with known malicious domains for example?) so I could cross-check it with indicators of compromise (from link in the first post) to make sure that sophos will protect our network from this particular threat ?

    Best Regards,

    Mateusz

  • +1 in reply to MateuszKordaszewski

    TrustedSource - Check Single URL will show you how the site is classified in Web Filtering.  Query the Smartfilter XL.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello,

    Thank you for this tool, it seems that all of these URLs are categorized as high risk with just few exceptions.

    I understand that Sophos UTM Web Filtering uses these databases to check for malicious domain, can you please confirm which product from the list should I choose to get most accurate results ?

    My UTM Firmware version is: 9.501-5 And Pattern version is: 128433

    Best Regards,
    Mateusz

Unfiltered HTML