Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > Reference Manual for GigaFlow > System > Watchlists

Watchlists

Located at System > Watchlists.

GigaFlow uses a blacklist compiled from multiple online sources. These lists are retrieved every hour and merged into a list of about 30,000 potentially dangerous IP addresses. Your GigaFlow system checks this hourly-updated list every five minutes and updates the local list when necessary.

Terminology

We are reviewing our code watchlist terminology and will update this documentation to reflect any changes.

Blacklists Available

This table lists the online blacklists available with relevant information. Information includes:

  • The source URL of the blacklist.
  • The size, in number of entries, of this blacklist.
  • Confidence level assigned to this blacklist, i.e. your confidence in its completeness and accuracy.
  • Severity or importance assigned to this blacklist.
  • The date and time of the last update.
  • The provider of the blacklist, defaulting to Gigaflow.
  • The number of entries.
  • The total number of events related to each blacklist.
  • You can unsubsribe from any blacklist.

New Blacklist Source

To add a new blacklist source:

  • Click the Add Whitelist Source icon, first from left at the top of the page.
  • Enter the URL of the new blacklist.
  • Enter a display name for the new blacklist.
  • Enter the importance (or severity) of the new blacklist.
  • Enter your confidence in the new blacklist, i.e. your confidence in its completeness and accuracy.
  • Enter a refresh rate in minutes (defaults to 1 minute).
  • Click Subscribe to add the new blacklist source.

Blacklist Actions

  • Click the Blacklist Actions icon, last from left at the top of the page.

To refresh blacklists automatically, select Yes.

Whitelist Items

GigaFlow can alert on flow entries that match known bad IP addresses, scanning or outside profiles. Whitelisting provides the facility to tell the checking mechanism in GigaFlow that particular IPs or subnets should not raise an exception on any of the defined conditions. When defining a whitelist you should specify a reason for excluding a host or hosts. If you set the IP address to that of the infrastructure device and the mask to zero, GigaFlow will whitelist all traffic for the device.

The whitelist table shows a list of the current whitelisted items, including the following information:

  • Address.
  • Mask.
  • Entered.
  • User.
  • Reason.
  • Hits, i.e. the number of matched flows to that item.
  • Action.

You can select the number of items to show from the dropdown menu above the table; the default is 50 items.

To add a new whitelist entry:

  • Click the Add Whitelist Entry icon, second from left at the top of the page.
  • Enter IP address of whitelisted site.
  • Enter its IP mask.
  • Enter a reason for its whitelisting.
  • Click Add.

Locally Defined Blacklists

The locally defined blacklist table shows a list of the existing locally-defined blacklists, including the following information:

  • The source blacklist.
  • The blacklist category.
  • The size of the blacklist; this is the number of entries on the list.
  • Your confidence in the black list, i.e. your confidence in its completeness and accuracy.
  • The importance (or severity) of the blacklist.
  • The provider of the blacklist.
  • Entries.
  • Action.

To add a new local blacklist:

  • Click the Add Local Blacklist icon, third from left at the top of the page.
  • Enter a category, or name, for the blacklist.
  • Enter the importance (or severity) of the new local blacklist.
  • Enter your confidence in the new local blacklist, i.e. your confidence in its completeness and accuracy.
  • Click Subscribe to add the new local blacklist.
  • After submitting the local blacklist, enter IP addresses, separated by a comma or on a new line in the Entries text area and click Save.

Proxies

Adding a noproxy=true flag to a watchlist URL allows the system to bypass proxy servers and access the list directly, i.e.

{URL to file}?NOPROXY=true