Versions Compared

Version Old Version 2 New Version 3
Changes made by

Gary Leicht

Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The following feed policy configuration is recommended after the SURBL feeds deprecation in mid-August. 

Info
titleAlert

New feed recommendations: It is recommended that you do the following regarding the new feeds:

  • Add Suspicious Domains with one of the policy actions to Block.
  • Add Suspicious Lookalikes with one of the policy actions to  Block.
  • Add Suspicious NOED with one of the policy actions to  Block.

The following table includes the list of feeds that we will be retiring:

Feed

RPZ Name

Retirement Date

Reason

Bot-IP

bot-ip.rpz.infoblox.local

4/1/2023

IP addresses are frequently reused for multiple sites, and blocking the ones associated with such systems ran the high risk of inadvertent blocking (I.E. False Positive). Many indicators here could be blocked in other ways, so the source is blocked in other similar feeds, making this redundant.

Spambot-IP

spambot-ip.rpz.infoblox.local

4/1/2023

ExploitKit_IP

exploitkit-ip.rpz.infoblox.local

June 2023

Ext_ExploitKit_IP

ext-exploitkit-ip.rpz.infoblox.local

June 2023

Ext_TOR_Exit_Node_IP 

ext-tor-exit-node-ip.rpz.infoblox.local

June 2023

NCCIC_Host

nccic-host.rpz.infoblox.local

June 2023

The curation process for these feeds (I.E. removing false positives) frequently left these feeds empty. The ones that remained are present in other feeds, making these feeds redundant.

NCCIC_IP

nccic-ip.rpz.infoblox.local

June 2023


As these feeds are being retired, NIOS platforms will no longer be able to download them.  This may present itself as a problem with the Zone transfer. To avoid this issue, these feeds should be removed as soon as possible. As they have been empty for a long time, there will be no negative effect on the organization’s security posture. This only affects NIOS platforms using these RPZ feeds, as cloud-based configurations are updated automatically.  


For information on adding and removing feeds from a security policy, see the following: 


Note
titleNote
  • When configuring feed precedence order, Please remember to prioritize feeds configured with a Block action (Block - No Redirect, Block - Default Redirect, and/or Block - Redirect - <custom redirect name>) by placing them in positions of higher precedence in your policy compared to feeds configured with an Allow action (Allow - With Log, Allow - No Log, and/or Allow - Local Resolution).Placing Blocked feeds higher in policy precedence order than Allowed feeds ensures that your security policy performs as intended.
  • Ensure that you understand the ramification
when
  • of overriding the default action for any threat feeds and Threat Insight rules before
you do
  • doing so.

The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy:

BaseDHSAIS_DomainMalware_DGA
Feed NameDefault ActionDefault Precedence
AntiMalwareBaseBlock  – No Redirect1
AntiMalwareBlock  – No Redirect2
Malware_DGABlock  – No Redirect3
RansomwareBlock  – No Redirect4
RansomwarePublic_DOHBlock  – No Redirect5
SuspiciousPublic_DOH_NOEDIPBlock  – No Redirect6
Suspicious_LookalikesThreat Block  Allow No RedirectWith Log7
Suspicious_DomainsBlock  – No Redirect8
AntiMalware_IPThreat Insight-Data ExfiltrationAllow – With Log8
Threat Insight-Fast FluxAllow – With Log9
BogonThreat Insight-DNS MessengerAllow – With Log10
DHS_AISAntiMalware_IPAllow – With Log11
Ext_AntiMalwareBase_IPAntiMalwarAllow – With Log12
Ext_Base_AntiMalwareRansomwareAllow – With Log13
Ext_RansomwareAntiMalware_IPAllow – With Log14
USDHS_OFAC_Sanctions_IP_EmbargoedAIS_DomainAllow – With Log15
TOR_Exit_Node_IPCryptoCurrencyAllow – With Log16
Threat Insight-Data ExfiltrationAllow – With Log17
Threat Insight - DGAAllow – With Log18
Threat Insight-DNS MessengerAllow – With Log19
Threat Insight-Fast FluxAllow – With Log20
CryptoCurrencyAllow – With Log21
Spambot_DNSBL_IPAllow – With Log22
NOEDAllow – With Log23
FarSightNODAllow – With Log24
ETQRiskAllow – With Log25
ETQRiskTOR_Exit_Node_IPAllow – With Log26
EECN_IPAllow – No Log27
Public_DOHAllow – No Log28
Public_DOH_IPAllow – No Log2917


For information on adding and removing feeds from a security policy, see the following: 

...