Oracle Cloud Infrastructure Documentation

Threat Intelligence

WAF has several sources of known IP address threats that are updated daily. The IP address threats are displayed in the following table:

Source Description
ABUSE|ch

Blacklist of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities.

Bambenek Consulting

Active and non-sinkholed Command & Control (C&C) IP addresses.

BlockList.de

Includes IP addresses for hosting phishing sites and other kinds of fraud activities such as ad-click or gaming fraud.

BruteForceBlocker Project

Feed of known IP addresses from blocked SSH brute force attacks.

Proofpoint ET Labs

IP addresses involved in suspicious and malicious activity.

Feodo IP Blocklist IP addresses used as C&C communication channel by the Feodo Trojan.
Palevo IP addresses which are being used as botnet C&C for the Palevo crimeware.
Webroot BotNets Botnet C&C channels and infected zombie machine controlled by Bot master.
Webroot Denial of Service Includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection.
Webroot Mobile Threats IP addresses of malicious and unwanted mobile applications. This category leverages data from the Webroot mobile threat research tea.
Webroot Phishing IP addresses hosting phishing sites and other kinds of illicit activities such as ad-click or gaming fraud.
Webroot Proxy IP addresses providing proxy and def services.
Webroot Reputation IP addresses currently known to be infected with malware. This category also includes IP addresses with an average low Webroot Reputation Index score.
Webroot Scanners Includes all reconnaissance such as probes, host scan, domain scan and password brute force attacks.
Webroot Spam Sources Includes tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.
Webroot Tor Proxy Includes IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.
Webroot Web Attacks Includes known IP addresses involved in cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks.
Webroot Windows Exploits Includes active IP addresses offering or distributing malware, shell code, rootkits, worms or viruses.
ZueS IP blocklist including known C&C servers/hosts.

Using the CLI

You can use the CLI to enable threat intelligence sources to block.

Open a command prompt and run the following command to list the keys for all of the threat intelligence:

oci waas threat-feed list --waas-policy-id <policy_ocid>

Then parse the keys to block and add them to the JSON:

oci waas threat-feed update --threat-feeds '[{"key":"<key_id>","action":"BLOCK"}]' --waas-policy-id <policy_ocid>

For example:

oci waas threat-feed update --threat-feeds '[{"key":"0998d237-bce8-4612-82c8-a1ca126c0492","action":"BLOCK"}]' --waas-policy-id ocid1.waaspolicy.oc1..aaaaaaaapfa5zrwnns75kru7mrlzkkmcdevp7w55ld3phjxtgl4s2phuepjq

Using the API

Enabling Threat Intelligence can only be performed by using the API at this time.

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

To return a set of keys for the threat intelligence:

Note

Do not use the keys in the example below, as keys are unique across each policy.

    {
    	"8d3f7f1b-673f-4e3a-ba49-08226f385df3": "OFF",
    	"0ff7b308-6afe-4b83-91e0-e3ca04afed6e": "OFF",
    	"ea5d7c67-1326-43c9-ac31-1df034b9c063": "OFF",
    	"87b420ca-5fbb-4ad4-aeba-1b02a9e60b30": "OFF",
    	"2168fc70-2d05-466a-9db5-c13c0e32177d": "OFF",	
    	"7d080a4a-58ce-4370-a02c-f600b3a84e7b": "OFF",
    	"a36c7c50-e99e-4b84-9140-5653fc68ce8d": "OFF",
    	"5de7bbc1-313f-4995-9810-f6f77cfd30c9": "OFF",
    	"fd2152cc-14f5-4471-a58b-d94cc8a61444": "OFF",
    	"cfacd3d3-65d9-4368-93e0-62c906e7a748": "OFF",
    	"6eb86368-01ea-4e94-ac1b-49bf0e551443": "OFF",
    	"aabb45d9-0d75-481d-9568-58ecad217e1e": "OFF",
    	"3805ecc2-1d6d-428b-a03e-2a0fe77fd46f": "OFF",
    	"c3452861-4910-4f3a-9872-22cf92d424eb": "OFF",
    	"4cf31deb-11af-460e-a46a-ecc1946a6688": "OFF",
    	"eff34d63-6235-4081-976d-acd39248bdc3": "OFF",
    	"1d1c94d9-038b-45eb-acd4-fb422e281f4c": "OFF",
    	"687b5ff4-b1b6-4d12-8dba-3ea90b4536a1": "OFF",
    	"65cf274d-991b-41f8-adda-6fe60ba2704f": "OFF"
    }		

To set all threats to DETECT:

  • UpdateThreatFeeds
  • With body:

    [
    {"action":"DETECT","key":"8d3f7f1b-673f-4e3a-ba49-08226f385df3"},
    {"action":"DETECT","key":"0ff7b308-6afe-4b83-91e0-e3ca04afed6e"},
    {"action":"DETECT","key":"ea5d7c67-1326-43c9-ac31-1df034b9c063"},
    {"action":"DETECT","key":"87b420ca-5fbb-4ad4-aeba-1b02a9e60b30"},
    {"action":"DETECT","key":"2168fc70-2d05-466a-9db5-c13c0e32177d"},
    {"action":"DETECT","key":"7d080a4a-58ce-4370-a02c-f600b3a84e7b"},
    {"action":"DETECT","key":"a36c7c50-e99e-4b84-9140-5653fc68ce8d"},
    {"action":"DETECT","key":"5de7bbc1-313f-4995-9810-f6f77cfd30c9"},
    {"action":"DETECT","key":"fd2152cc-14f5-4471-a58b-d94cc8a61444"},
    {"action":"DETECT","key":"cfacd3d3-65d9-4368-93e0-62c906e7a748"},
    {"action":"DETECT","key":"6eb86368-01ea-4e94-ac1b-49bf0e551443"},
    {"action":"DETECT","key":"aabb45d9-0d75-481d-9568-58ecad217e1e"},
    {"action":"DETECT","key":"3805ecc2-1d6d-428b-a03e-2a0fe77fd46f"},
    {"action":"DETECT","key":"d9cfc537-dd50-427d-830e-a612f535c11f"},
    {"action":"DETECT","key":"c3452861-4910-4f3a-9872-22cf92d424eb"},
    {"action":"DETECT","key":"4cf31deb-11af-460e-a46a-ecc1946a6688"},
    {"action":"DETECT","key":"eff34d63-6235-4081-976d-acd39248bdc3"},
    {"action":"DETECT","key":"1d1c94d9-038b-45eb-acd4-fb422e281f4c"},
    {"action":"DETECT","key":"687b5ff4-b1b6-4d12-8dba-3ea90b4536a1"},
    {"action":"DETECT","key":"65cf274d-991b-41f8-adda-6fe60ba2704f"}
    ]			

    This will return a 202 Accepted HTTP status, which means the policy will enter an UPDATING state until changes are provisioned to the edge nodes.