alonzo.ramos Absent Member.
Absent Member.
593 views

Can Arcsight block CIDR blocks of Ips

Is it possible to have Arcsight block complete CIDR blocks of ips?

Thanks

0 Likes
7 Replies
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: Can Arcsight block CIDR blocks of Ips

Not sure what you mean here - can you explain a little further?

We have a network model that you can MAP IP addresses to zones based on the CIDR - asset, zone and network mapping. But this is a logical mapping process and enriches the data - doesnt block or anything.

ArcSight is a passive tool for the collection, processing, correlation and management of alerts based on rules and policies - its not a firewall and its not "active" in that sense. You could automate things to trigger after a certain situation. For example, see an attack, send a trigger to a firewall or IPS device (such as TippingPoint) and have that IP address / range blocked. But you want to be very careful with this type of automation as it can be used against you!

0 Likes
Frequent Contributor.. saadabdul Frequent Contributor..
Frequent Contributor..

Re: Can Arcsight block CIDR blocks of Ips

Hi Alonzo

Action connectors are built to allow integrations between ArcSight and third party devices for the purpose of allowing the third party device to be controllable from within the ArcSight console. The user can then execute commands on third party devices from within ArcSight and send the output of those commands back to the console. The remote command can be executed as an action in the correlation rules engine, or as a right click on the action connector. The command is executed from the host that the connector resides on.

0 Likes
alonzo.ramos Absent Member.
Absent Member.

Re: Can Arcsight block CIDR blocks of Ips

I'm not talking about specific connectors. Arcsight does block /32 ips which references to one ip address. We can add this to work via script in conjuction with correlation rules. However can Arcsight reference a perl or python script to block out a whole CIDR /24 ip block. The simple question is can Arcsight be triggered to block out a specific CIDR block? The clear example would be to block a /25 when triggered by a certain rule. This would handle a range of ips vs 1 ip.

Thanks

0 Likes
alonzo.ramos Absent Member.
Absent Member.

Re: Can Arcsight block CIDR blocks of Ips

Paul,

What I'm look at is the capability of blocking a range.  At this time our test script works fine with /32.

Thanks

0 Likes
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Can Arcsight block CIDR blocks of Ips

Hi Alonzo,

Refer the Example here with the TRM module. Yes you can do the same by invoking the Script from Rules..Executed on Manager/Console/Connector to action on Remote Server

https://protect724.hp.com/message/61266#61266

0 Likes
MarkSamark Super Contributor.
Super Contributor.

Re: Can Arcsight block CIDR blocks of Ips

Hi,

Let me add my 2 cents.

What you are referring to is that you can use a script to send to your 3rd party system to block for instance the source or destination IP address from the base event right?

If you want to do a larger block you want to use one of the python modules that allows you to calculate the original network mask the IP is part of.

I haven't used it myself yet but I found some links that might help:

http://stackoverflow.com/questions/8872636/how-to-calculate-netmask-from-2-ip-adresses-in-python

There are also the netaddr and ipaddres modules:

https://docs.python.org/3/library/ipaddress.html

ipaddress.ip_network

(address

, strict=True

)https://docs.python.org/3/library/ipaddress.html#ipaddress.ip_network

Return an IPv4Network or IPv6Network object depending on the IP address passed as argument. address is a string or integer representing the IP network. Either IPv4 or IPv6 networks may be supplied; integers less than 2**32 will be considered to be IPv4 by default. strict is passed to IPv4Network or IPv6Network constructor. A ValueError is raised if address does not represent a valid IPv4 or IPv6 address, or if the network has host bits set.

>>> ipaddress.ip_network('192.168.0.0/28') IPv4Network('192.168.0.0/28')

No clear cut answer but I think this will help you get on your way to blocking larger ranges.

0 Likes
Frequent Contributor.. saadabdul Frequent Contributor..
Frequent Contributor..

Re: Can Arcsight block CIDR blocks of Ips

Hi Alonzo,

I think you can use these steps

1- When the rule trigger an IP send this IP by execute command to a python or perl code.

2- The code will take this public IP as an input and do whois command to get the range of the subnet. Please see the web site as an example Whois - IP Address - Domain Name Lookup and try enter a public IP. whois can be inserted in python and perl program

3- Then send these information to the firewall such as PANOS or Cisco and add these ranges to the object.

Hopefully, this will help

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.