v21 Third Party Feeds

I've updated my post. Sophos dug into this and found that these notifications were not due to a random probe from a now-blocked IP from a third-party list. They were from the third-party list, but they weren't the usual shotgun of probes: they were specifically to the VPN port that is open to the WAN (which is of course how you use a VPN). In that case, it is acting as expected: those probes are not (invalid) Appliance Access but are for a service that is running on the appliance and so are blocked if they're on a block list. (In the past, they would have resulted in a failed VPN login attempt if the probe actually tried to login, or would end up elsewhere if they immediately dropped the connection, I guess.)

I'm a small fish so don't see a lot of what big fish see, but I haven't gotten any blocks by the URLHaus recent block list (one of their small lists). I have gotten blocks based on the FireHOL L3 list, but those were: a) VPN probes from listed IPs that I had previously not seen because they don't show up as (invalid) Appliance Access, and b) outgoing IP access that is flagged as C&C communications but the FireHOL list includes IPs that map to sites like "githubusercontent" which is an extremely broad IP.

Looking at the Talos URL, there is a generic URL that then redirects to the another URL, within XG v21 talosintelligence.com/documents/ip-blacklist isn't pulling a list.  I've left off the https on purpose.

Some of the other items I'm looking at were previously on pfblockerng within pfsense.  Need to look at Crowdsec and GreyNoise more