There are 5 specific functions that can be tested to make sure that the ThreatSTOP service is working properly:
- Does the management VM pull IPs from our database
- Are the IPs applied to firewall rules
- Do the blocked IPs get logged
- Can the logs be uploaded to our database.
- Can 1-4 be done automatically
- Does the management VM pull IPs from our database?
At anytime you can run the tsadmin update <devicename> command which loads the selected device with the IPs from your policy.
The output will vary depending on the device type.
You have now verified that management VM can pull IPs from our database.
- Are the IPs applied to firewall rules?
This step will vary based on your device please check the specific knowledge base section.
- Do the blocked IPs get logged?
From a device that is behind the ThreatSTOP protected device, go to http://bad.threatstop.com/ and let the page timeout
Log into the TSCM and issue the following command:
tail -f /var/log/threatstop/devices/<device_name>/syslog
Where <device_name> is the name you used when first configured the ThreatSTOP service on the TSCM.
You should see several log lines that may include your testing depending on the number of blocks happening at that time.
You have now verified that the blocked IPs are getting logged.
- Can the logs be uploaded to our database?
On the ThreatSTOP management VM, look at the root cronatb by running the command:
sudo crontab -l
You should see a job similar to:
7 * * * * perl -e'exec q(/usr/sbin/logrotate -f /etc/logrotate.d/remotes.log) if (stat q(/var/log/remotes.log))[7]>100000;'
You should take the command out of that job and run it manually. The command is:
/usr/sbin/logrotate -f /etc/logrotate.d/remotes.log
Running the command manual will show a similar output:
The output to note is the following which shows that the upload was successful
[INFO ] : Upload was successful [200 OK] [DEBUG] : Cleaning [/tmp/tmplog_0.log] previous tmp file [INFO ] : Finish ThreatSTOP logupload operation at 26/06/2015 10:00:25 after 00:00:03
Once you have successfully uploaded a log to our system, there should now be a /var/log/remotes.log.1. You have now verified that the logs can be uploaded to our database.
- Can 1-4 be done automatically?
Comments