Auto-Update feed adapter
BMC Defender Server includes a simple adapter that adds a component to assist with automatic updates of the reputation database. This adapter is available on request, and creates the System > Tools > Auto-Update > IP Reputation DB tab on the system. The adapter permits the administrator to schedule the fetching of the standard reputation database and report. The adapter window is displayed as follows:
The window is a standard BMC Defender Server dialog box. The operator clicks Edit to edit the parameters, then clicks Save to save the parameters for future operation. By default, the feed is fetched at the start of each month from the www.bmc.com. The feed can be fetched immediately by clicking Download. The operator can view the feed process log, and can access the full report data using links at the top of the window.
The following table describes the elements on the window:
Element | Description |
|---|---|
Edit | This button allows the Feed Master Enable, the Feed URL, the Schedule Execution, and the Exclude settings to be edited. (These feeds are further identified in the following.) |
Run Report | Click Run Report to immediately fetch the feed. Otherwise, you can wait for the scheduled execution, specified on the Edit window. |
Feed Master Enable | This option can be changed using Edit, and is master enabled for the scheduled feed update. The value of Enabled enables the periodic process. The value of Disabled disables the process (but still allows reports to be fetched automatically using the Run Report). |
Feed URL | Enter the URL to the feed site. Unless otherwise instructed or advised by the support, the value should not be changed, and is configured to correctly access the reputation database described in this space. |
Proxy URL | Enter the URL to a proxy server (if required). The proxy HTTP server should be specified as a standard URL and port number combination. If no HTTP proxy server is required or exists, then this field should be left blank to directly fetch files from the Feed URL. |
Schedule Execution | This option permits the operator to specify the schedule of when the feed is fetched from the Feed URL. The value is reflected in the System > Scheduler window. The operator can select weekly, monthly or an advanced schedule. (See notes on the System > Scheduler window in other spaces for a further discussion of controls.) |
Exclude Single References | This setting can be changed using the Edit, and indicates the rigorousness of the list. By default, the value is No, that indicates any subnet in the IP Block list feed is regarded as having a bad reputation. All entries in the block list appears in the @@ip_blocklist@@ list macro. Setting the value to Yes requires the entry to be referenced at least twice (that is, included in at least two lists described earlier). This can be used to reduce false positives in some environments, by requiring the IP to be recognized by at least two lists. |
Identify Bad Subtest | This option can be changed using Edit, and outputs a subnet block address if more than 25 different IP addresses in the subnet are identified to have a bad reputation. This can enhance security, but can also cause false positives. |
Share Threat Intelligence | Adjusting this value to Yes causes the top 10 devices that match the IP blocklist to be posted to the BMC corporate website (using an HTTP Post request). This occurs after the IP blocklist is fetched. No other data or corporate information is shared, and the posting is completely anonymous. Setting the value to Yes assists BMC Defender engineering with constructing the weekly reputation database. |
List Metric Values | The bottom of the window indicates the number of IP addresses in the list, the size of the file, and the time that the file is downloaded. These metrics correspond to the operating lists on the system, and depend on when the list is fetched, and whether Exclude Single References is set to Yes or No. |