Threat Intelligence

Learn how WAF has several sources of known IP address threats that are updated daily.

WAF has several sources of known IP address threats that are updated daily. The IP address threats are displayed in the following table:

Source Description
Webroot BotNets Botnet C&C channels and infected zombie machines controlled by Botmaster.
Webroot Denial of Service Includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection.
Webroot Mobile Threats IP addresses of malicious and unwanted mobile applications. This category leverages data from the Webroot mobile threat research tea.
Webroot Phishing IP addresses hosting phishing sites and other kinds of illicit activities such as ad-click or gaming fraud.
Webroot Proxy IP addresses providing proxy and def services.
Webroot Reputation IP addresses currently known to be infected with malware. This category also includes IP addresses with an average low Webroot Reputation Index score.
Webroot Scanners Includes all reconnaissance such as probes, host scan, domain scan and password brute force attacks.
Webroot Spam Sources Includes tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.
Webroot Tor Proxy Includes IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator's intended destination.
Webroot Web Attacks Includes known IP addresses involved in cross-site scripting, iFrame injection, SQL injection, cross-domain injection, or domain password brute force attacks.
Webroot Windows Exploits Includes active IP addresses offering or distributing malware, shell code, rootkits, worms, or viruses.
  • This task can't be performed using the Console.

  • You can use the CLI to enable threat intelligence sources to block.

    Open a command prompt and run the following command to list the keys for all of the threat intelligence:

    oci waas threat-feed list --waas-policy-id <policy_ocid>

    Then parse the keys to block and add them to the JSON:

    oci waas threat-feed update --threat-feeds '[{"key":"<key_id>","action":"BLOCK"}]' --waas-policy-id <policy_ocid>

    For example:

    oci waas threat-feed update --threat-feeds '[{"key":"0998d237-bce8-4612-82c8-a1ca126c0492","action":"BLOCK"}]' --waas-policy-id ocid1.waaspolicy.oc1...
  • Enabling Threat Intelligence can only be performed by using the API at this time.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.

    To return a set of keys for the threat intelligence:

    • ListThreatFeeds

      Note

      Do not use the keys in the example below, as keys are unique across each policy.

      {
      	"8d3f7f1b-673f-4e3a-ba49-08226f385df3": "OFF",
      	"0ff7b308-6afe-4b83-91e0-e3ca04afed6e": "OFF",
      	"ea5d7c67-1326-43c9-ac31-1df034b9c063": "OFF",
      	"87b420ca-5fbb-4ad4-aeba-1b02a9e60b30": "OFF",
      	"2168fc70-2d05-466a-9db5-c13c0e32177d": "OFF",	
      	"7d080a4a-58ce-4370-a02c-f600b3a84e7b": "OFF",
      	"a36c7c50-e99e-4b84-9140-5653fc68ce8d": "OFF",
      	"5de7bbc1-313f-4995-9810-f6f77cfd30c9": "OFF",
      	"fd2152cc-14f5-4471-a58b-d94cc8a61444": "OFF",
      	"cfacd3d3-65d9-4368-93e0-62c906e7a748": "OFF",
      	"6eb86368-01ea-4e94-ac1b-49bf0e551443": "OFF",
      	"aabb45d9-0d75-481d-9568-58ecad217e1e": "OFF",
      	"3805ecc2-1d6d-428b-a03e-2a0fe77fd46f": "OFF",
      	"c3452861-4910-4f3a-9872-22cf92d424eb": "OFF",
      	"4cf31deb-11af-460e-a46a-ecc1946a6688": "OFF",
      	"eff34d63-6235-4081-976d-acd39248bdc3": "OFF",
      	"1d1c94d9-038b-45eb-acd4-fb422e281f4c": "OFF",
      	"687b5ff4-b1b6-4d12-8dba-3ea90b4536a1": "OFF",
      	"65cf274d-991b-41f8-adda-6fe60ba2704f": "OFF"
      }		

    To set all threats to DETECT:

    • UpdateThreatFeeds

      With body:

      [
      {"action":"DETECT","key":"8d3f7f1b-673f-4e3a-ba49-08226f385df3"},
      {"action":"DETECT","key":"0ff7b308-6afe-4b83-91e0-e3ca04afed6e"},
      {"action":"DETECT","key":"ea5d7c67-1326-43c9-ac31-1df034b9c063"},
      {"action":"DETECT","key":"87b420ca-5fbb-4ad4-aeba-1b02a9e60b30"},
      {"action":"DETECT","key":"2168fc70-2d05-466a-9db5-c13c0e32177d"},
      {"action":"DETECT","key":"7d080a4a-58ce-4370-a02c-f600b3a84e7b"},
      {"action":"DETECT","key":"a36c7c50-e99e-4b84-9140-5653fc68ce8d"},
      {"action":"DETECT","key":"5de7bbc1-313f-4995-9810-f6f77cfd30c9"},
      {"action":"DETECT","key":"fd2152cc-14f5-4471-a58b-d94cc8a61444"},
      {"action":"DETECT","key":"cfacd3d3-65d9-4368-93e0-62c906e7a748"},
      {"action":"DETECT","key":"6eb86368-01ea-4e94-ac1b-49bf0e551443"},
      {"action":"DETECT","key":"aabb45d9-0d75-481d-9568-58ecad217e1e"},
      {"action":"DETECT","key":"3805ecc2-1d6d-428b-a03e-2a0fe77fd46f"},
      {"action":"DETECT","key":"d9cfc537-dd50-427d-830e-a612f535c11f"},
      {"action":"DETECT","key":"c3452861-4910-4f3a-9872-22cf92d424eb"},
      {"action":"DETECT","key":"4cf31deb-11af-460e-a46a-ecc1946a6688"},
      {"action":"DETECT","key":"eff34d63-6235-4081-976d-acd39248bdc3"},
      {"action":"DETECT","key":"1d1c94d9-038b-45eb-acd4-fb422e281f4c"},
      {"action":"DETECT","key":"687b5ff4-b1b6-4d12-8dba-3ea90b4536a1"},
      {"action":"DETECT","key":"65cf274d-991b-41f8-adda-6fe60ba2704f"}
      ]			

      This will return a 202 Accepted HTTP status, which means the policy will enter an UPDATING state until changes are provisioned to the edge nodes.