Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 4 subscribers
  • Views 20577 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External Dynamic List (EDLs)

Steve Shaw

Hello,

Is this answer still valid ? https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/45727/who-is-the-external-filter-list-provider

and is there an option to add own customized URL/domain list  (A dynamic list hosted externally so that UTM can import objects—IP addresses, URLs, domains—included in the list and enforce policy.)

 

Thanks

Steve



This thread was automatically locked due to age.
Parents
  • +1

    Yes, the base data for UTM is provided by Trusted source, which Sophos uses with adjustments.   There is no provision for an alternate source to use for a second opinion.

    You can create static overrides, which is all that I have ever needed.

    SMTP proxy supports multiple custom RBL sources.

    You also should be able to integrate with Norton DNS.  I tried once, had trouble, and rolled back before figuring out what I did wrong.  

  • 0 in reply to DouglasFoster

    Hello Douglas,

    Do you know the update interval by which TrustedSource will update URL categories on Sophos UTM

    I am concerned about how long it will take UTM to get updated URL verdict once TrustedSource has analyzed domain/url as malicious

    Thanks

    Steve

  • 0 in reply to Steve Shaw

    Trusted source commits to complete their work in one business day, and they confirm by email.  They have consistently met that commitment for me.

    Sophos Support says that it can take up to 5 days to deploy changes after McAfee makes them.   This is invisible and I have not made much effort to verify, since the policy help desk tool only checks one URL at a time (making any audit process painful.)

    I believe you will find some items that are "Uncategorized" in UTM even though Trusted Source has a stable category.   This seems to be due to problems in the UTM lookup system, which I have been told will be addressed in a redesign.  I mostly see it on image references with long paths, so I think the issue has to do with applying higher level categories to leaf nodes.

    Both UTM and McAfee nay apply different categories to different paths within a website, which is appropriate.  I think reputation raings are more global.

  • 0 in reply to DouglasFoster

    Thank you Douglas for detailed response.

  • 0 in reply to DouglasFoster
    DouglasFoster said:

    Sophos Support says that it can take up to 5 days to deploy changes after McAfee makes them.   This is invisible and I have not made much effort to verify, since the policy help desk tool only checks one URL at a time (making any audit process painful.)
    I believe you will find some items that are "Uncategorized" in UTM even though Trusted Source has a stable category.   This seems to be due to problems in the UTM lookup system, which I have been told will be addressed in a redesign.  I mostly see it on image references with long paths, so I think the issue has to do with applying higher level categories to leaf nodes.

    I believe the "5 days" are a generic disclaimer we have for all categorization changes, not just the ones that go to McAfee.  I believe that as soon as McAfee makes them available to us, we will have them for users.  As far as I know we get several updates a day from them.
    The "uncategorized" problem that you describe is scheduled to be resolved in 9.6.
     
    By the way, the easy way to audit is not to use help desk.  If you have a list, just navigate to each one and then look at the log.
  • 0 in reply to Michael Dunn

    I will look forward to 9.6.  Hopefully it will have a much smoother launch than 9.5

    I am still campaigning for a bulk lookup tool.  I never want to navigate to a site unnecessarily, and your approach is still a one at a time process.

  • 0 in reply to DouglasFoster

    I doubt there is demand for a bulk lookup tool.  But go ahead and put in the request.

    In the meantime, try this.  Put all the URLs into a textfile, one per line.

    wget -i urllist.txt -T 5 -t 1 -O /dev/null

    That is, go to each url in the input file, timeout of 5 seconds, no retries, and delete the output.

    You should be able to get through a few hundred a minute.  Since its a command line wget that ignores the output its safe.

    Now go through /var/log/http.log, grep on your source ip and look at the result.  A little more text processing and you can get it to print only each url and category.

     

    If you don't want to do wget, just do anything where each url is turned into a hyperlink.  Click on each one so it opens in new tab.  It is technically one at a time, but you should still be able to do around 1 a second.  Then on your tab bar "Close all tabs to the right" so that you don't actually have to see the sites you opens (in case of NSFW).

  • 0 in reply to DouglasFoster

    Doug, I'm not sure what you want out of a bulk tool.  You can query 100 URLs at a time with a free account on trustedsource.org - does that do what you want?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I do use trusted source.   But I do not have a tool for verifying if their changes have propagated to UTM or not.  Wget will help with tbat part of yhe problem.

Reply Children
No Data
Unfiltered HTML