How to exclude a range of IPs from analysis with whitelists in RSA Web Threat Detection

4 years ago

Originally Published: 2015-08-20

Article Number

000049055

Applies To

RSA Product Set: Web Threat Detection
RSA Product/Service Type: Forensics
RSA Version/Condition: All
Platform: Linux

Resolution

All attribute can have a whitelist, but for IP address whitelisting it makes sense to apply these to the default "ip" attribute as follows:

<whitelist
    name="66.249.78.60"
    and="32"
    invisible="true"
/>

Here, the “and” attribute (which represents the CIDR mask bits) is 32 and so will correspond to a single IP address, but this value can be used to specify any range.

Example:
According to the whois for a particular IP:

$ whois 66.249.66.1
OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
[Querying whois.internic.net]
PostalCode: 94043
Country: US
 
NetRange: 66.249.64.0 – 66.249.95.255
CIDR: 66.249.64.0/19
NetName: GOOGLE
NetHandle: NET-66-249-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
Comment:
RegDate: 2004-03-05
Updated: 2004-11-10

So using the CIDR for this you could filter all google IPs with a single entry of something like the following:

<whitelist
        name="66.249.64.0"
        and="19"
         invisible="true"
/>

The cleanest/safest method to add these is within the Configuration Manager UI under schema but can also be added directly to the universal_conf.py, which would then need to be re-imported and pushed.

Notes

The above example whitelists 8190 IPs belonging to google and not all of these will be googlebot crawlers so a it may be wise to consider different ranges using a CIDR calculator.

Don't see what you're looking for?

Related Articles

Trending Articles