Results 1 to 3 of 3
  1. #1
    Newbie
    Join Date
    Mar 2017
    Posts
    2

    Default Log reputation and Threat Lookup mismatch - Moderate and Suspicious blocked as High

    I've found that a lot of addresses blocked in my log as "High Risk" reputation are only "Suspicious" or even "Moderate Risk" when I look them up with the built in Threat Lookup.

    For example in my log 142.93.8.39 is blocked as "High Risk"
    In the threat lookup it is "Suspicious" and Recent Threat Count is 0
    In www.abuseipdb.com it's at 0%

    I found 5 IP's like this on just one page of my log and I only checked half of the entries.

    For what possible reason would Threat Lookup and the Threat Prevention Firewall use different sources of data for threat levels? The data used for the Threat Lookup seems to be way more accurate.


    I tried setting Reputation Threshold to max and then used a rule to just block high risk with certain categories but it's not even accurate enough for that.

    Am I doing something wrong?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,210

    Default

    IP reputation is not the same as URL. An IP can have multiple domains associated with it.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Mar 2017
    Posts
    2

    Default

    I'm not sure what URL you are referring to, if it's abuseipdb.com that I mentioned in my post that's just another IP abuse lookup tool that showed the IP as low risk.

    Or are you saying that for some things like SMTP it's not checking just the IP but the sending domain? If that's the case then I think reports like Non-Web Blocked Events should include the domain that was evaluated and not just the IP.

    My question is why does the the Threat Lookup tool and the Non-Web Blocked Events show different reputation information for the same IP? Is Threat Prevention taking some data into account (sending domain for example) that does not show up in the Threat Lookup Tool? If so then whatever extra criteria is being evaluated needs to be in the log.

    Sorry if original post was unclear
    Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2