IPs being flagged as Security Risk - malware

Comments

6 comments

  • Avatar
    heath

    Further, when I go to mute the alarm, I can only mute either the IP address or the entire category (Security Activity), not just the “malware” subset.  Are all the Security Activity alarms just the malware ones?

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    On your first question, we do have private intel feed as well as intel feed from our own systems. Likely this IP is from those sources. (I think we also are integrating a few public sources as well) Since this is not a blocking alarm, it likely this IP is on the border 

    "Security activity" can be malware, ransomware, crypto jack ... and a few other categories. Ignoring it will be bad. 

     

    0
    Comment actions Permalink
  • Avatar
    heath

    Right - so it’s not possible to mute specific types of “security activity” alarms?  Especially given the fact that I’m not able to validate that these are indeed malicious sites with any 3rd part OSINT, even from very reputable sources.

    It would be good to be able to do be more focused on the muting of subtypes under a category and if you provided more information on why a particular IP was flagged a certain way especially when no other sources return that same data.  I know that these lists rapidly change because of the nature of a lot of these IP address.

    I don’t want to mute the alarms, but it seems like a lot of noise right now and if the Signal to Noise ratio gets too far off, then it makes the system less effective.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Agreed. We are trying to improve the alarm handling recently, providing you with the ability to mute different subtypes of security activity alarms is one of the to-do items. 

    0
    Comment actions Permalink
  • Avatar
    heath

    That’s good to hear. I’m on the EA for both my FWG and FWP so I’d be happy to test it when you have something.

    0
    Comment actions Permalink
  • Avatar
    heath

    To follow up on my own post, any thought to providing more detail in the alarm on the reason it was alarmed?  I’ve never been able to find anything that generated an alarm that, when I investigated, showed up on any publicly available listing (Talos, Google, Zscaler, AlienVault, etc.).  So I’d really like to know more specifics on why it was considered a risk.  I’m guessing that these are generated from Zeek rules, so it may not be easy to include that sort of information in the feed file.  But it makes it hard to really understand what the risk is if I can’t get any more detail.  And while I do trust the Firewalla team (I bought 2 of them, after all), the mantra in the security world is “trust but verify”.  Maybe having a lookup somewhere online for those with devices that will show the details, similar to how others handle it?

    0
    Comment actions Permalink

Please sign in to leave a comment.