BMC Defender Server block list and reputation database
As a standard feature of the BMC Defender Server, BMC synthesizes and maintains a robust list of IP address subnets with bad reputations, they are saved in the @@ip_blocklist@@ list macro at the BMC Defender Server.
This list is updated each week by BMC Defender, and is placed at a well-known URL on the BMC Defender, permitting easy access by BMC Defender users and licensees. Specific tools are available from BMC Defender to allow this reputation database to be automatically downloaded to each server, thereby maintaining a current list of subnets with bad reputations, installed at each BMC Defender Server.
This application note furnishes information on the actual block list and reputation database feed, as well as information on how to configure the system to automatically download this list using an adapter at the BMC Defender Server.
Summary and additional notes for IP block list and reputation database
Following are the additional notes for IP block list and reputation database:
- The reputation database is configured within the system residing in the Correlation > Config > Lists screen, within the @@ip_blocklist@@ macro. This list can be manually modified (but any changes are lost during the next update of the system). This particular list macro is used by various pre-configured correlation threads and alerts.
- After installing the REPDB adapter, the operator can navigate to the System > Tools > Auto Update tab to view the IP Reputation Database screen. This screen contains controls, status, and debug information necessary to download the reputation database and update the @@ip_blocklist@@ list macro.
After installing the REPDB adapter, the administrator should edit the IP Reputation Database screen and set the Scheduled Execution time to be some value other than None for automatic updates to occur. (Otherwise an update occurs only when the user clicks Run Report on the screen.)
- The GenRepDB.exe program that is responsible for obtaining the reputation database, is automatically configured to run by setting the Scheduled Execution time. This program also appears on the System > Scheduler screen.
- The installationDirectory\feeds folder contains files used by the system, including MD5 checksums and other identification information. These files should not be modified without assistance from support.
Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender. - No updates occur if any errors are encountered with the process, including errors with checksums on the files. In this case, the user should click the Process Log link to diagnose the issue.
- The installationDirectory\feeds\GET_IP_FEED.bat file is actually responsible for downloading the files from the reputation database using the wget.exe program (where the wget.exe program is added to the system folder by the installation package). The installationDirectory\feeds\GET_IP_FEED.log file contains the last transcript of the download operation, useful for debug and analysis.
BMC Defender IP Reputation Database feed, while publicly available, might be disabled for specific users and sites if the URL is over-accessed. Sites should not download the reputation database more than once a week, except under certain circumstances. If the user cannot obtain the reputation database for any reason, contact BMC Support for assistance.
This section provides information about the following topics :