Number of blacklisted IPs reported by BLAT is increasing-fireeye-wMPS
Vendor: fireeye
OS: wMPS
Description:
Indeni will alert if number of blacklisted IPs reported by BLAT is increasing.
Remediation Steps:
Users are advised to further investigate into the Blacklisted IP addresses reported for any potential security attacks
How does this work?
Indeni uses the FireEye NX “show blat stats” cli command to retrieve the blat information.
Why is this important?
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts. It is important to monitor the number of blacklisted IPs visited, to help futher in detection of any suspicious activity.
Without Indeni how would you find this?
An administrator could login and manually run the command via CLI or check the blat informaiton via the GUI.
fireeye-nx-show-blat-stats
name: fireeye-nx-show-blat-stats
description: Fetch blat statistics information
type: monitoring
monitoring_interval: 5 minutes
requires:
vendor: fireeye
os.name: wMPS
privileged-mode: 'true'
comments:
fireeye-nx-blat-is-enabled:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is critical to monitor the if blat is enabled or not, to help futher looking into blat metrics.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
fireeye-nx-blat-packet-received:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is important to monitor the the number of blat packets received, to help futher in detection of any suspicious activity.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
fireeye-nx-blat-static-rules:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is important to keep track of the number of static rules, to help futher in detection of any suspicious activity.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
fireeye-nx-blat-dynamic-rules:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is important to monitor the number of dynamic rules added to the file, to help futher in detection of any suspicious activity.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
fireeye-nx-blat-static-bad-rules:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is important to monitor the the number of dynamic rules, to help futher in detection of any suspicious activity.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
fireeye-nx-blat-dynamic-bad-rules:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is important to monitor the number of dynamic rules that have errors in them, to help futher in detection of any suspicious activity.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
fireeye-nx-blat-events-reported:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is important to monitor the number of events and alerts reported, to help futher in detection of any suspicious activity.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
fireeye-nx-blat-standby-events-reported:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is important to monitor the number of events reported on standby unit, to help futher in detection of any suspicious activity.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
fireeye-nx-blat-events-dropped:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is important to monitor the number of events dropped, to help futher in detection of any suspicious activity.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
fireeye-nx-blat-inline-dropped:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is important to monitor the number of inline packets dropped, to help futher in detection of any suspicious activity.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
fireeye-nx-blat-inactive-domain:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is important to monitor the number of inactive domains captured, to help futher in detection of any suspicious activity.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
fireeye-nx-blat-blacklisted-ips:
why: |
Blat statistics provide blacklisted DNS configuration and statistics information to security analysts.
It is important to monitor the number of blacklisted IPs visited, to help futher in detection of any suspicious activity.
how: |
Indeni uses the FireEye NX "show blat stats" cli command to retrieve the blat information.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: show blat stats
parse:
type: AWK
file: show-blat.parser.1.awk
FireEyeNxBlatBlacklistedIpsRule
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/fireeye/nx/FireEyeNxBlatBlacklistedIpsRule.scala