Saucepan

User Tools

Site Tools

Trace:
infoblox_threat_defense:rpz_feeds

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_threat_defense:rpz_feeds [2025/11/12 12:08] – [RPZ Sizing] bstaffordinfoblox_threat_defense:rpz_feeds [2026/03/08 18:43] (current) – [NSDNAME and NSIP] bstafford
Line 328: Line 328:
   * **Block** - Contains entries that should be blocked with confidence given the level of protection needed (e.g. low protection for public wifi and extreme protection for the military)   * **Block** - Contains entries that should be blocked with confidence given the level of protection needed (e.g. low protection for public wifi and extreme protection for the military)
   * **Log** - Goes along with the aligned **Block** list but contains entries that don't have as high a confidence level.   * **Log** - Goes along with the aligned **Block** list but contains entries that don't have as high a confidence level.
 +
 +===== NSDNAME and NSIP =====
 +
 +Disable NSDNAME/NSIP processing to prevent major performance impacts (approx. 45%). This feature can also cause massive outage if a legitimate NS server gets onto your block list.
 +
 +RPZ NSDNAME (Name Server Domain Name)
 +  * Definition: This trigger matches the domain name of the authoritative name server (found in the NS records) during recursive resolution.
 +  * Use Case: If a malicious actor uses ns1.badactor.com to host 5,000 phishing websites, you can create an RPZ rule targeting ns1.badactor.com.rpz-nsdname. Any domain utilizing that name server will be blocked.
 +  * Key Advantage: It catches new malicious domains immediately, even if they aren't listed in a reputation feed yet, as long as they use the same compromised name server. 
 +
 +RPZ NSIP (Name Server IP Address) 
 +  * Definition: This trigger matches the actual IP address (IPv4 or IPv6) in the A/AAAA records of name servers associated with domains (glue records).
 +  * Use Case: If a malicious server changes its name (e.g., from ns1.badactor.com to ns1.sneaky.com) but keeps the same IP address (e.g., 192.0.2.55), NSDNAME might fail, but NSIP will still block it.
 +  * Functionality: It protects against attackers who try to evade NSDNAME filters by changing name server names. 
 +    
 +    
 ===== RPZ BAU Syslog on NIOS ===== ===== RPZ BAU Syslog on NIOS =====
 In NIOS, you get the following syslog on the member doing the RPZ feed In NIOS, you get the following syslog on the member doing the RPZ feed
Line 454: Line 470:
   * Major = 7   * Major = 7
   * Critical = 8   * Critical = 8
 +
 +Official SYSLOG Severity levels
 +  * 0 (Emergency): System unusable, kernel panic.
 +  * 1 (Alert): Action must be taken immediately (e.g., primary ISP loss).
 +  * 2 (Critical): Critical conditions (e.g., failing hardware, primary application failure).
 +  * 3 (Error): Error conditions, non-urgent failures.
 +  * 4 (Warning): Potential errors if no action is taken (e.g., low disk space).
 +  * 5 (Notice): Unusual but not error conditions, ongoing events.
 +  * 6 (Informational): Normal operational messages (e.g., application start/stop).
 +  * 7 (Debug): Detailed information for developers
  
 A note on Mitigation Action A note on Mitigation Action
infoblox_threat_defense/rpz_feeds.1762949287.txt.gz · Last modified: by bstafford