Skip to content

Malicious Sources

Additional web protections can be enabled to prevent source based logging and blocking of known malicious hosts to access your web services.

The Malicious source files are available with an advanced Web Protection subscription. The malicious file lists are updated frequently and dynamically in the Valtix Controller backend.

Malicious sources are categorized from learned behavior.

  • Malicious sources identified from Web Honeypots
  • Botnet C&C Hosts
  • TOR Exit nodes

Create Malicious Sources Profile

  1. Navigate to Manage -> Profiles -> Malicious Sources
  2. Click Create
  3. Provide a name and description
  4. Check the box to enable IP Reputation
  5. Click Manual or Automatic mode for Trustwave Ruleset Version selection
  6. In Manual mode, select the Trustwave Ruleset Version from dropdown. The selected ruleset version is used by the Valtix datapath engine on all gateways which use this profile and is not automatically updated to newer ruleset versions.
  7. In Automatic mode, select how many days to delay the deployment by, after the ruleset version is published by Valtix. New rulesets are published daily by Valtix and the gateways using this profile are automatically updated to the latest ruleset version which is N days or older, where N is the "delay by days" argument selected from the dropdown. For example, if you select to delay the deployment by 5 days on Jan 10, 2021, the Valtix controller will select a ruleset version which was published on Jan 5th or before. Note that Valtix may not publish on some days if our internal testing with that ruleset version fails for some reason.

Tech Notes

IP Reputation inspects the remote IP address of the client, and is used to identify known attacking systems in the following categories:

  • Malicious Attack Sources Identified from Web Honeypots
  • Botnet C&C Hosts
  • TOR Exit Nodes

Associate the Malicious Sources Profile with a Policy Rule

Check this document to create/edit rules