Use and Management, Access PacketViper, Country Graph, Active Connections. IP list, GNL, Global Network Lists, Manage Custom Rules.

PacketViper Use & Management Tips

[+] How do I access and configure PacketViper?

PacketViper can be accessed directly using the console screen, or accessing it using a simple web browser from within your secure network.

Example http://<internal IP>:47880 or securely https://<internal IP>:47881

[+] When Does PacketViper update its IP lists?

1.  Global Network List (GNL) Data:  Different GNL's are updated at various times. For instance Global HoneyPot, Forum Spam, and many others change nightly.   Business GNL's could update daily/weekly/monthly depending on the amount and types of information we receive regarding their networks.

2. Country IP/Network assignments change infrequently, so these update monthly.  On the other hand, assignments within country change much more often.  These are gathered from ARIN, RIPE, AFRINIC, APNIC, and LACNIC, manual location research, proprietary geo-location pinpointing processes, and purchased lists and are updated as needed.

[+] Unassigned Countries in Graph. What is It?

 "Unassigned" are IP addresses that are not assigned to a country.  Typically these are RFC1918 addresses (ie private IP ranges like 192.168..., 172..., and 10...). 

"Other" is the sum of all blocked traffic from other countries that aren't in the top 6. 

 

BlockedCOuntryGraph.jpg

[+] Can I view active connections?.

Yes.  PacketViper's comes with an Active Connections area, in which an administrator can kill connections quickly.

Go to TRAFFIC CONTROL --> CONNECTIONS

Connections.jpeg

[+] Can I send PacketViper logs elsewhere?

Yes.  PacketViper can quickly send its logs to any existing event manager via syslog.


Go to Setup -->System -->Remote Syslog Settings

Syslog.jpg



[+] Filtering and Restricting Ports
  • If you wanted to restrict/block a single port from a country, append the port with a exclamation point (example: !80)

  • If you wanted to allow single port from a country or global network list, just add the port number (example: 80)

  • If you wanted to allow multiple ports from a country or global network list, separate them with a comma (example: 80,443,25)

[+] Setting Up Country/Port Triggers

Once you have your PacketViper setup, make sure you get your triggers built. Triggers are an additional level of protection from those countries and networks you must leave unfiltered. Post triggers you have found useful to help other customers here.

The trigger example below will evaluate after the custom rules, for any TCP 3389 connections, auto block them, then email the alert.
Go To-. TRAFFIC CONTROL TAB - > TRIGGERS

Trigger Name: Name Your Trigger
Trigger Position: When you want the trigger evaluated (After custom rules is default)
Protocol: Choose which Protocol to monitor
Port: Choose which Protocol Port
Add Action: Add Src Custom Rules Blocking; Will automatically add source IP to custom rules to block further attempts
Add Action: Add Src Custom Rules Blocking;Rule Comment: Is comments which are displayed in custom rules
Add Action: Send Email Alert: Sends an email once the trigger is fired
Add Action: Send Email Alert:To: destination address
Add Action: Send Email Alert:Sen Every: How soon to send email
Add Action: Send Email Alert:Email ID: Choose email template to send (If none is created, you will have to create one)

EmailBlockTrigger.jpg

[+] Should I Start Blocking Countries Immediately?

That's up to you and your environment.

What recommend in the beginning is once PacketVIper is placed inline, observe the traffic for a day or so, even longer depending on the volume. Then using the report filters and summary reports, you can begin getting a better picture of what should not be permitted. 

From there you can start limiting countries to a specific port inbound/outbound, then build triggers to alert and block based on suspect areas and ports you discovered from the reports or real time logs. You will notice as you start filtering out the unwanted stuff, your network security environment becomes less strained, and worked.

[+] PacketViper says invalid port 22 session or 443?

I've got a ton of invalid TCP traffic which I believe is because I've applied the  Setup -> Security -> drop invalid packets.

The TCP Invalid traffic means that PacketViper is seeing traffic for already established connections which it doesn't already know about.  This would be expected when placing inline when there are already established connections.  They should disappear over time as PacketViper sees those connections all reestablish.  The setting is useful to drop connection spoofing where an attacker crafts a packet to look like it is for an already establish connection.

[+} Create Scheduled Tasks For Traffic Reports

Once PacketViper is installed and running, and good practice is to create several tasks which email you nightly traffic reports.  You can do the by go to SETUP -> SCHEDULE TASKS

Jump To

PACKETVIPER GEO IP FILTER

Read useful tips on how to install, edit, and manage PacketViper, our Geo IP network Filter.  Get it installed quickly using our tips to begin blocking countries, and filtering unwanted network traffic. PacketViper is a Geo IP filter on steroids that can block any country by port inbound, and outbound.  Eliminate the unwanted traffic and get yourself a PacketViper! Click here to order one today!


HOW TO A BLOCK COUNTRY?

It's simple to block countries, get a PacketViper and filter out unwanted network traffic to your exposed network ports in seconds. Relieve the pressure through your security environment today.