Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
266
Views
0
Helpful
1
Replies

CSA - Processes Communicating with Untrusted Hosts

RichardSW
Level 1
Level 1

‎07-13-2006 04:29 PM - edited ‎03-09-2019 03:34 PM

Can someone explain this builtin application class, "Processes Communicating with Untrusted Hosts"?

I've read what is in the help file and notes, and I've looked for this in the documentation. But it seems a little vague. Here are a few snippets:

Correlate communications with untrusted hosts and add peer addresses to list of dynamically quarantined IP addresses.

------

With this checkbox enabled, when processes are added to the dynamic <Processes communicating with Untrusted Hosts> application class (see Built-in Configurable Application Classes, page 6-7) and this event is logged across multiple agent systems, these events are correlated and the untrusted peer address that triggered the event is added to a dynamic list of quarantined IP addresses that CSA MC maintains. If you have a rule configured to stop dynamically quarantined IP addresses in a deployed policy, no further agents can communicate with this peer address. See page 4-69 for information on using @dynamic in Network access control rules.

And:

Step 1 In the Network shield rule configuration view, enter the following information:

----

?Description?Enter a description of this rule. This description appears in the list view for the module. Optionally, expand the +Detailed field to enter a longer description.

----

?Enabled?Use this checkbox to enable this rule within the module. (It is enabled by default.) By not selecting this checkbox, you can save this rule, but it will not be active in the module and it will not be distributed to groups.

----

Step 2 Take the following action?(Note that only High Priority Deny, Allow, Deny, Monitor, and Add process action types are available for this rule. You can choose to add the system process to the Processes communicating with Untrusted Hosts application class which causes the remote host IP address to be sent to the MC for global correlation. This may result in the address being added to the @dynamic address list for quarantining. See page 6-7 for information on the Processes communicating with Untrusted Hosts application class. Also see Correlation for details on quarantining IP addresses.) Select an action type from the pulldown list.

And:

Processes Communicating with Untrusted Hosts?This is intended to capture the IP addresses of hosts that are viewed as violating security policies or exhibiting malicious behavior. Being classified as belonging to this application category causes a host to be quarantined from the network.

So far I've gathered that this process is involved in correlation and the @dynamic variable. But I'm confused when it is used and what rules can use it. If a network shield rule populates this class, how can an application rule use it when application rules don't work with IP addresses? If this does allow application rules to work with IP addresses, is it possible for me to use this rule in conjunction with data control rules?

Labels:
0 Helpful
1 Reply 1

mgavel
Level 1
Level 1

‎07-13-2006 07:52 PM

The built-in appclass does not exist and the documentation is in need of an update.

The Global Event Correlation updates the @dynamic variable. Please just focus on that operation.

@dynamic can contained a list of file names or a list of IP addresses. The context it is used in determines what is presented.

@dynamic used in a Network Address Set will have a list of IP addresses.

@dynamic used to define a File Set or Application Class will present a list of file names.

Hope this helps,

Marcus

0 Helpful
Customers Also Viewed These Support Documents