BMC Defender Server block list and reputation database

BMC Defender Server synthesizes and maintains a robust list of IP address subnets with bad reputations, they are saved in the @@ip_blocklist@@ list macro at the BMC Defender Server.

BMC Defender Server updates the list weekly and users can easily access the information. The reputation database is automatically downloaded to each server, thereby maintaining a current list of subnets with bad reputations at each product instance.

This section provides information about the block list and reputation database feed, and information about how to configure the system to automatically download the list by using a  BMC Defender Server adapter.

Following are the additional notes for IP block list and reputation database:

  • The reputation database is configured within the system residing in the Correlation > Config > Lists screen, within the @@ip_blocklist@@ macro. This list can be manually modified (but any changes are lost during the next update of the system). This particular list macro is used by various pre-configured correlation threads and alerts.
  • After installing the REPDB adapter, the operator can navigate to the System > Tools > Auto Update tab to view the IP Reputation Database screen. This screen contains controls, status, and debug information necessary to download the reputation database and update the @@ip_blocklist@@ list macro.

  • After installing the REPDB adapter, the administrator should edit the IP Reputation Database screen and set the Scheduled Execution time to be some value other than None for automatic updates to occur. (Otherwise, an update occurs only when the user clicks Run Report on the screen.)

    Important

    By default no automatic updates occur until the user sets the scheduled time to something other than the default None value.

  • The GenRepDB.exe program which is responsible for obtaining the reputation database, is automatically configured to run by setting the Scheduled Execution time. This program also appears on the System > Scheduler screen.
  • The  installationDirectory\feeds folder contains files used by the system, including MD5 checksums and other identification information. These files should not be modified without assistance from support.
    Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender.
  • No updates occur if any errors are encountered with the process, including errors with checksums on the files. In this case, the user should click the Process Log link to diagnose the issue.
  • The  installationDirectory\feeds\GET_IP_FEED.bat file is actually responsible for downloading the files from the reputation database using the wget.exe program (where the wget.exe program is added to the system folder by the installation package). The installationDirectory\feeds\GET_IP_FEED.log file contains the last transcript of the download operation, useful for debugging and analysis.

The IP reputation database feed, while publicly available, can be disabled for specific users and sites if the URL is over-accessed. Sites should not need to download the reputation database more than once a week. If the user cannot obtain the reputation database for any reason, contact BMC Support for assistance.

This section provides information about the following topics : 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*