Available plugins
The following plugins are available:
BlacklistProviderPlugin
The BlacklistProviderPlugin is used for determining if the browser IP address is blacklisted by configured open source blacklists, SecureWorks and/or custom blacklists.
When viewing the plugin information on the Edit Plugin page, the top two fields provide information on the plugin and cannot be changed:
Instance Name
BlacklistProviderPlugin1
Description
The Blacklist Provider plugin provides a set of default open source blacklists, optional Dell SecureWorks blacklist and the ability to add additional blacklist sources.
BlacklistProviderPlugin Configuration
The following settings are available for the plugin in the Plugin Configuration section:
- Maximum Audit Records - This is the maximum number of blacklist records to list in the details of an audit record. By default, this is 10 audit records. The maximum number of records that can be returned is 20.
(Optional) Dell SecureWorks CTU Blacklist Configuration
- SecureWorks Portal Token - SecureWorks customers need to enter their SecureWorks issued portal token into this field to enable the SecureWorks blacklist. When this field is empty, the SecureWorks blacklist is disabled.
- Update Frequency (Minutes) - This is how often the Security Analytics Engine connects to SecureWorks to update the blacklist. By default, this is 1440 minutes. The maximum update frequency is 9999 minutes.
- List ID - This is the ID of the specific SecureWorks blacklist to retrieve. By default, this is -1.
(Optional) Default blacklists
The Security Analytics Engine provides a set of pre-configured blacklists upon installation. The following table displays the settings for each of these default blacklists:
Table 2: Default blacklists
Swiss Security Blog Zeus List |
- Provider URL - https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
- Provider Name - Swiss Security Blog Zeus List
- Update Frequency (Minutes) - 60
- Comment Start Pattern - #
- Enabled - (Selected)
|
Swiss Security Blog Ransomware List |
- Provider URL - https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
- Provider Name - Swiss Security Blog Palevo List
- Update Frequency (Minutes) - 60
- Comment Start Pattern - #
- Enabled - (Selected)
|
Swiss Security Blog Feodo List ACD |
- Provider URL - https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
- Provider Name - Swiss Security Blog Feodo List ACD
- Update Frequency (Minutes) - 60
- Comment Start Pattern - #
- Enabled - (Selected)
|
Swiss Security Blog Feodo List B |
- Provider URL - https://feodotracker.abuse.ch/blocklist/?download=badips
- Provider Name - Swiss Security Blog Feodo List B
- Update Frequency (Minutes) - 60
- Comment Start Pattern - #
- Enabled - (Selected)
|
Emerging Threats Compromised IPs List |
- Provider URL - http://rules.emergingthreats.net/blockrules/compromised-ips.txt
- Provider Name - Emerging Threats Compromised IPs List
- Update Frequency (Minutes) - 60
- Comment Start Pattern - #
- Enabled - (Selected)
|
BlocklistDE All 48 Hours List |
- Provider URL - http://lists.blocklist.de/lists/all.txt
- Provider Name - BlocklistDE All 48 Hours List
- Update Frequency (Minutes) - 60
- Comment Start Pattern - #
- Enabled - (Selected)
|
BlocklistDE Strong IPs List |
- Provider URL - http://lists.blocklist.de/lists/strongips.txt
- Provider Name - BlocklistDE Strong IPs List
- Update Frequency (Minutes) - 60
- Comment Start Pattern - #
- Enabled - (Selected)
|
(Optional) Custom Blacklist Providers
This section allows you to pull in a custom internal blacklist or an externally available blacklist, such as an open source blacklist.
Click Add to display the following fields:
-
Provider URL - The URL used to retrieve the text blacklist (for example, http://localhost/sampleblacklist.txt)
|
NOTE: The blacklist must be in a plain text format, with a single IP address per line, and support using an optional network mask length (for example, 172.28.100.0/24). |
- Provider Name - The name of the text list provider.
-
Update Frequency (Minutes) - This is how often the Security Analytics Engine connects to the provider to update the text blacklist. The maximum update frequency is 9999 minutes.
|
NOTE: Some externally available blacklists may have additional restrictions regarding update frequency. |
- Comment Start Pattern - In order to ignore comments in the text file, enter the character used to distinguish the comments from the blacklist items (for example, #).
- Enabled - Select this check box to enable the text blacklist for use by the Security Analytics Engine.
- Delete - Click this button to remove the custom blacklist.
After modifying the plugin, click the Validate button in the lower right corner to check that the configuration is valid.
BlacklistProviderPlugin Condition
The following type of condition is available for this plugin: