Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Threat Prevention Reviewing my custom TP signature policies

fredbert

Moderator
NAS Support
Subscriber
5,479
2,214
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
  4. WRX560
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
I previously posted how to extract event information from the TP event database, so I thought I would filter through the data and see how my customised policies were working. It's only been running for a around a month since last clear out. I have noticed that I was getting multiple events for the same source IP at the same time, so there is clearly some overlap.

Within the Misc Attack signature category I have set quite a few of the groups of signatures to Deny: I expect most Internet inbound connectivity from people and devices I know, so there are a lot of suspect source IP addresses I don't need to serve. So these groups were set to Deny:
  • ET DROP Dshield Block Listed Source
  • ET DROP Spamhaus DROP Listed Traffic Inbound
  • ET CINS Active Threat Intelligence Poor Reputation IP
  • ET 3CORESec Poor Reputation IP
  • ET COMPROMISED Known Compromised or Hostile Host Traffic
  • ET TOR Known Tor Exit Node Traffic (the 'not exit node' signatures seem to mostly get hit too, so only customised 'exit node' ones)
With a bit of manipulation using text editor BBEdit and Excel pivot tables on the unique source IP addresses I found this.... unique hits per signature group.

DShieldSpamhausCINS3CORESecCompromisedTOR
289831153107313299

But then considering which IP addresses got picked up by which signature group.

IP address generated events from...Number of Unique IPs for signature group(s)
DShield only392
CINS only286
DShield + 3CORESec222
TOR only220
3CORESec only110
Dshield + CINSS57
CINS + 3CORESec42
DShield + CINS + 3CORESec6
3CORESec + TOR4
Dshield + COMPROMISED3
Spamhaus only3
3CORESec + COMPROMISED2
COMPROMISED only2
DShield + TOR1

So the most events are generated by the ET DROP Dshield Block Listed Source 'group', which only has a single signature rule. This is followed by the may signature rules of the ET CINS Active Threat Intelligence Poor Reputation IP group. Then there are enough hits to the ET 3CORESec Poor Reputation IP group. I will keep these customised to Drop.

I'm not decided on whether I need to block TOR Known Exit Node source IPs, so for now I'll keep this large group as Deny. As for the other groups (COMPROMISED and Spamhaus), these generated five unique IPs from 18 events and I've decided to remove the customised rules and have them revert back to Alert. A final check and I saw no events for Threatview.io's Cobalt Strike signatures, so these also revert to default action.

This is for my setup and the SRM firewall will have blocked other connection attempts before hitting Threat Prevention. It confirms my thought that the single DShield signature was doing a disproportionate amount of work. But also showed that other signature groups cover IP addresses not covered by other groups.
 
Last edited:
That is very nice!
I have wanted to create a TP user rule specifically for DHCP IP’s, and not static. But have not figured out how to accomplish that, other than create multiple rules: one for each of DHCP IP’s
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Thread Tags

Tags Tags
None

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top