pfBlockerNG - Proofpoint ET IQRISK IPv4 Reputation
-
I have been trying to figure out how to setup Proofpoint ET IQRISK IPv4 Reputation, but I must not be doing something right.
The ET IQRisk Blocklist URL path breaks at /reputation/iprepdata.txt.gz. If I go to the path in a browser it contains snort\suricata versions. Like it is documented here https://rules.emergingthreatspro.com/PRO_download_instructions.html
I have searched for documentation on how to set this up but have not found much. -
Hello everybody, Proofpoint ET IQRISK has changed its name to ET Intelligence. It is a separate offering that Proofpoint offers. The company I work for is looking to purchase this solution if I can get the trial to work.
I am confused by the instructions I posted 16 days ago:
-
The trial gave me a url with what I think already contains the ETPro code referenced in the instructions. It looks like this but instead of "X" it has the code: https://rules.emergingthreatspro.com/XXXXXXXXXXXXXXXXX/reputation/
-
I appended /iprepdata.txt.gz to the end and it correctly downloads in a browser.
-
I go to the IPv4 list tab and "ET IQRisk" is not a format in the list.
-
I leave it on Auto just to see what would happen. Now the Proofpoint ET IPRep
files exist and have IP in them. So that seems good!
- This is where I get lost. I go back to the reputation tab under IP populate the Header from the first screen shot and select the Block Categories. What does the step highlighted in blue mean?
-
-
The text that you highlighted is referencing IP "Match" types. Its not needed if you want to Block those IPs. pfSense allows creating Match IP Rules, to allow for the "Logging" of the event any nothing further.