000031007 - How to exclude a range of IPs from analysis with whitelists in RSA Web Threat Detection

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031007
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Forensics
RSA Version/Condition: All
Platform: Linux
 
ResolutionAll attribute can have a whitelist, but for IP address whitelisting it makes sense to apply these to the default "ip" attribute as follows:
<whitelist
    name="66.249.78.60"
    and="32"
    invisible="true"
/>

Here, the “and” attribute (which represents the CIDR mask bits) is 32 and so will correspond to a single IP address, but this value can be used to specify any range.
Example:
According to the whois for a particular IP:
$ whois 66.249.66.1
OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
[Querying whois.internic.net]
PostalCode: 94043
Country: US

NetRange: 66.249.64.0 – 66.249.95.255
CIDR: 66.249.64.0/19
NetName: GOOGLE
NetHandle: NET-66-249-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
Comment:
RegDate: 2004-03-05
Updated: 2004-11-10

So using the CIDR for this you could filter all google IPs with a single entry of something like the following:
<whitelist
        name="66.249.64.0"
        and="19"
         invisible="true"
/>

The cleanest/safest method to add these is within the Configuration Manager UI under schema but can also be added directly to the universal_conf.py, which would then need to be re-imported and pushed.
NotesThe above example whitelists 8190 IPs belonging to google and not all of these will be googlebot crawlers so a it may be wise to consider different ranges using a CIDR calculator.

Attachments

    Outcomes