This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a way to categorise IP Addresses in the Web report?

Hi Guys, 

I'm looking at reducing the un-categorised traffic on the UTM report. We currently block all access to IP's as a default, the problem is, each time one is blocked or attempted access is made, 

if comes up as un-categorised. Is there a rule / category i can implement, to capture these and blanket categorise them? As currently i would say it takes up around 80% of the report! It's not a critical thing, more of a neatness aspect.

Thank you in advance

Chris



This thread was automatically locked due to age.
Parents
  • I have found that a surprising number of legitimate sites use some IPs instead of FQDN in their hidden web links, so blocking IPs has not been viable for me.

    But happily, UTM and its primary resource TrustedSites.org DO categorize IP addresses, so you are not flying blind in this situation.

    I WARN rather than BLOCK on uncategorized sites.   Some of the links are small local businesses that never get noticed by the scanning services.   Others might be bad guys hiding from the scoring service.   I actively manage uncategorized, whether FQDN or IP Address, as follows:

    - Extract the web log and parse it into a SQL database (The hard part)

    - Find everything new that is uncategorized (Category="9998,9998").   I actually look for 3 adjacent records:   warned, procceded, and passed.   If the user gave up after the warning, or if he tried to proceed but the connection failed with a non-existent host, I ignore the event.   I am only interested if they went to the site.

    - Truncate any querystring, and eliminate duplicates.   Different paths can have different categorizations within a single web host.

    - Submit the list to TrustedSource.org.   To submit a file, you must create a free account.   Max of 100 URLs per file.   The reference product is McAfee SmartFilter 4.2 (XL-1)/

    - Ask them to re-evaluate anything that comes up as uncategorized.   Max of 100 URL re-evaluation requests per DAY.  (You can request higher limits, but I have not)

    - They will complete the evaluation and send you an email within 1 business day.

    - Resubmit the list to their website to get the results in a format that can be moved into Excel using copy-and-paste.

    - Review the results for anything Malicious.  If found, review the logs in detail to see what happened while on the site, and do triage on the source machine.

    - Sophos is supposed to process the TrustedSource results and make them available to your UTM within 5 business days.

     

    You can do the something similar, but you will be looking for Blocked when Category=9998,9998.  You will get some non-existent sites in the result set, but it should still work.

  • Thank's Douglas, that's a big help, i will get to parsing! Just annoying, although it isn't the heaviest request method data wise, un-categorised requests by IP certainly goes into the hundreds of thousands, being part of a large educational establishment!

Reply Children
No Data