IOA and IOC forensics

Follow

Chris Hewitt

• December 15, 2021 12:16

The app shows blocked IP addresses and blocked URLs. We have lists or malicious URLs and IP addresses that we want to investigate to determine if they have been scanning us. Unfortunately, we can’t figure out what logs have this information. We contacted support but they weren’t able to tell us. We scanned every file we thought might contain them but without luck. In what file are the blocked URLs and IPs logged?

0

• 

  Firewalla

  • December 15, 2021 18:09

  Do you mean you want customized alarms? matching a target and then send something to you?

  0

  Comment actions Permalink
• 

  Chris Hewitt

  • December 16, 2021 12:47
  • Edited

  This request is to be able to search for IPs and URLs that have been blocked - both in the app or, simply for now, by searching log data  

  It would be great to list URLs or IPs that, if seen, trigger an alarm. Hadn’t thought about that but that’s a great idea too  

  We would like to be able to search for IPs and URLs in the app but right now we just want to know where the data shown in network flows is logged.

  

  In the app, there isn’t any way just to show inbound blocks. Or a way to filer on, say, 45.155 to see if they are scanning us. 
  
  

  We want access to the raw data so we can identify if servers on our list of currently known Log4j scanners are hitting us or our clients. We also need these log data to see if there are others attempting to use Log4j attacks that aren’t currently on our list. 

  0

  Comment actions Permalink

Please sign in to leave a comment.