Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 12014 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a way to categorise IP Addresses in the Web report?

Chris pounds

Hi Guys, 

I'm looking at reducing the un-categorised traffic on the UTM report. We currently block all access to IP's as a default, the problem is, each time one is blocked or attempted access is made, 

if comes up as un-categorised. Is there a rule / category i can implement, to capture these and blanket categorise them? As currently i would say it takes up around 80% of the report! It's not a critical thing, more of a neatness aspect.

Thank you in advance

Chris



This thread was automatically locked due to age.
  • +1

    I have found that a surprising number of legitimate sites use some IPs instead of FQDN in their hidden web links, so blocking IPs has not been viable for me.

    But happily, UTM and its primary resource TrustedSites.org DO categorize IP addresses, so you are not flying blind in this situation.

    I WARN rather than BLOCK on uncategorized sites.   Some of the links are small local businesses that never get noticed by the scanning services.   Others might be bad guys hiding from the scoring service.   I actively manage uncategorized, whether FQDN or IP Address, as follows:

    - Extract the web log and parse it into a SQL database (The hard part)

    - Find everything new that is uncategorized (Category="9998,9998").   I actually look for 3 adjacent records:   warned, procceded, and passed.   If the user gave up after the warning, or if he tried to proceed but the connection failed with a non-existent host, I ignore the event.   I am only interested if they went to the site.

    - Truncate any querystring, and eliminate duplicates.   Different paths can have different categorizations within a single web host.

    - Submit the list to TrustedSource.org.   To submit a file, you must create a free account.   Max of 100 URLs per file.   The reference product is McAfee SmartFilter 4.2 (XL-1)/

    - Ask them to re-evaluate anything that comes up as uncategorized.   Max of 100 URL re-evaluation requests per DAY.  (You can request higher limits, but I have not)

    - They will complete the evaluation and send you an email within 1 business day.

    - Resubmit the list to their website to get the results in a format that can be moved into Excel using copy-and-paste.

    - Review the results for anything Malicious.  If found, review the logs in detail to see what happened while on the site, and do triage on the source machine.

    - Sophos is supposed to process the TrustedSource results and make them available to your UTM within 5 business days.

     

    You can do the something similar, but you will be looking for Blocked when Category=9998,9998.  You will get some non-existent sites in the result set, but it should still work.

  • 0

    You can create your own categories (if needed) under Web protection > Filtering options > Categories. Or you can use the existing ones

    You can then re-categorise ip's, websites etc under Web protection > Filtering options > Websites.

    You have to add each website although you can cut and paste from a list eg site A - E = category A eg really bad, then create another rule site F - J = category B = semi bad etc or simply re-categorise then using the existing UTM categories

    Obviously a bit of a job to start with which will diminish with time.

     

    Under reporting, the nearest you can get with web reporting is domains with categories. That will give you the domain visited with the category and amount of traffic.

    If you want to go further, check out iView as the reporting is far superior on that.

  • 0 in reply to DouglasFoster

    Thank's Douglas, that's a big help, i will get to parsing! Just annoying, although it isn't the heaviest request method data wise, un-categorised requests by IP certainly goes into the hundreds of thousands, being part of a large educational establishment!

  • 0 in reply to Louis-M

    Hi Louis, 

    Thank you for the information :) I have a lot of categories set up already, it's just the ones to IP's (which there are thousands) that i don't really have the time or manpower to track each one :(

  • 0 in reply to Louis-M

    The only time that you want to assign a URL to an allowed category is when you are certain that the URL is trustworthy -- reputable organization, devoid of active malware, with a purpose that is consistent with your organization's acceptable use policy.   Whitelisting large numbers of unknown websites defeats the point of having a web defense.   If you allow unknown sites at all, at least mark them as warned.

    Louis is only half-correct about creating categories, and it points to one of the documentation problems.   UTM has two types of categories:   Websites are assigned to subcategories.   You can override the subcategory to which a website is assigned, but you cannot alter the subcategory list.   Users are allowed or blocked based on supercategories.  You can create or delete new supercategories.   A subcategory should only be assigned to one supercategory, but the UTM interface does not enforce this.   If you start rearranging the subcategory to supercategory mapping, you need to be careful to ensure that every category is assigned somewhere and no category is assigned twice, since either mistake could produce unexpected and undesired results.   The consequences of these mistakes are undocumented.

    For your example, you cannot assign website 10.10.10.10 to a newly-created (sub)category called "Stuff_I_Approve".   You can assign it to the subcategory "Education" to cause it to be in an allowed supercategory, or assign it to "School Cheating" to cause it to be in a blocked supercategory.

Unfiltered HTML