IP Reputation Library

NTA IP Reputation Library (SETTINGS menu > Network Traffic Analysis > NTA IP Reputation Library) enables you to consult static and/or dynamic lists that characterize IP addresses observed in current network traffic as suspicious. The library is prepopulated with a current list of IP addresses known to be in use by Tor client sessions (random routing and encryption that provides some measure of anonymity). When blacklisted addresses "talk" with your managed devices, they will be displayed in the NTA Suspicious Connections report.

You can also pull in lists periodically/dynamically from industry-trusted network, security, and Internet service vendor sites. This is a powerful feature in that it enables you to tie WhatsUp Gold into information observed by trusted partners and stakeholders throughout the Internet community.

Upload Lists of Addresses or Use Trusted URLs to Seed the IP Reputation Library

Add a local list

Use a community List (Cisco Talos Spam List Shown)

Typical Leverage Points:

• Include lists of suspicious IPs from web-based lists or REST API responses. (Best practice)
• Include static lists of IP addresses known to cause problems.
• Create custom reports and dashboards.
• Incorporate/monitor feedback from the ecosystem of Internet-facing administrators and security specialists.

Include or Edit an IP Address List

To add or modify a suspicious IP address list(ing):

• Click 'add' (). The Add List dialog displays.
• Click 'edit' (). The Edit List dialog displays.

Add/Edit List enables you to:

• Site URL, API query, or file path used to retrieve the list.
  • Add URL or webhosted file. For example:

    

  • Include a local blacklist file using the full local drive or UNC file path. For example:

    

Note: The list you add must use the expected syntax and format. For details, see the syntax examples in the Expected Format section of this topic.

• Define/modify the refresh interval.
• Refresh now. (Needed only when seeding from a website hosted file or REST endpoint)
• Include/exclude a list or address from consideration.

Viewing Library Entries

When viewing the grid from the library view, the following columns display:

• List Name. Label for the list within WhatsUp Gold.
• URL/Path. Site URL, API query, or file path used to retrieve the list. For file format, see the section titled Expected Format.
• Enabled. Current status against the reputation list.
• IP Count. Raw number of IP addresses obtained from this list or site.
• Unique IP Count. Number of unique IP addresses from this list or site.
• Refresh Interval. Current polling interval in days. Zero ("0") indicates never refresh.
• Last Refresh Attempt. Last attempt to read this list.
• Last Refresh. Last refresh that succeeded and yielded at least one IP address.

Expected Format

For lists applied from file systems or REST API responses, the expected syntax is similar to a hosts file. One IP address per line.

Syntax:

# my comment
<suspicious-ip-address-1>
<suspicious-ip-address-2>
<suspicious-ip-address-n>

Example:

# Well-known spam sources
203.0.113.122
203.0.113.221

See Also Network Traffic Analysis Start Analyzing Your Network! Before You Begin NTA Features and Advantages Choosing NTA Sources Configuring and Enabling Collection on Sources Creating Aggregate Sources Aggregating Sources Grouping Traffic Classifying Traffic by Port Number (NTA Applications) Collector Database Maintenance Reduce and Analyze Traffic with Advanced Filtering Network Traffic Analysis Settings Listener Port, Collection, and Retention Settings