SRX

Hello Guys,

I don't have  an ATP license and I have a concern to block some public IPs that is suspected to be C&C so, Can I put those domains on a text file in the srx box like in "/var/tmp/CC-Domains.txt"  and leverage it to be a feed for the security-intelligence.

Also same to create text file for some domain by dns to use them for dns sinkhole.

Also note that I have no Junos Space or security enforcer so this to be done in the box itself.

------------------------------
OMER MUKHTAR
------------------------------

Out of everything you mentioned the best I've gotten is a custom dynamic-address feed. But with IP addresses only, not domain names. All the official instructions I've found reference Junos Space. Without Space, I've had success adapting Francois Prowse's dynamic address script to generate my own custom feed. See https://github.com/farsonic/dynamic-address. But I don't know if the dynamic-address configuration will support a local on-box file URL; I've only tried https.

As for doing this with a DNS sinkhole, again I don't know if you can do this on-box. Even if you could hack around the DNS-Proxy feature configuration files (for some reason I'm thinking it uses bind under the hood but I could be getting my wires crossed and thinking of something else) in order to include your own custom file, those configuration hack may or may not survive commit / reboot / upgrade. It'd be nice if you could configure an external DNS server to summarize all known bad IPs under a single hostname (e.g. badsites.local) so that you can define an address-book entry using dns-name and then just have a policy block all traffic to / from there.