Follow

How can I test the ThreatSTOP service is working correctly?

There are 5 specific functions that can be tested to make sure that the ThreatSTOP service is working properly: 

  1. Does the management VM pull IPs from our database
  2. Are the IPs applied to firewall rules
  3. Do the blocked IPs get logged
  4. Can the logs be uploaded to our database.
  5. Can 1-4 be done automatically

 

  1. Does the management VM pull IPs from our database? 

    At anytime you can run the tsadmin update <devicename> command which loads the selected device with the IPs from your policy. 

    The output will vary depending on the device type. 

    You have now verified that management VM can pull IPs from our database.

  2. Are the IPs applied to firewall rules?

    This step will vary based on your device please check the specific knowledge base section.

  3. Do the blocked IPs get logged?

    From a device that is behind the ThreatSTOP protected device, go to http://bad.threatstop.com/ and let the page timeout

    Log into the TSCM and issue the following command: 

    tail -f /var/log/threatstop/devices/<device_name>/syslog  

    Where <device_name> is the name you used when first configured the ThreatSTOP service on the TSCM.

    You should see several log lines that may include your testing depending on the number of blocks happening at that time.

    You have now verified that the blocked IPs are getting logged.

  4. Can the logs be uploaded to our database?

    On the ThreatSTOP management VM, look at the root cronatb by running the command: 

    sudo crontab -l

    You should see a job similar to:

    7 * * * * perl -e'exec q(/usr/sbin/logrotate -f /etc/logrotate.d/remotes.log) if (stat q(/var/log/remotes.log))[7]>100000;'


    You should take the command out of that job and run it manually. The command is:

    /usr/sbin/logrotate -f /etc/logrotate.d/remotes.log

    Running the command manual will show a similar output:


    The output to note is the following which shows that the upload was successful

    [INFO ] : Upload was successful [200 OK] [DEBUG] : Cleaning [/tmp/tmplog_0.log] previous tmp file [INFO ] : Finish ThreatSTOP logupload operation at 26/06/2015 10:00:25 after 00:00:03

    Once you have successfully uploaded a log to our system, there should now be a /var/log/remotes.log.1. You have now verified that the logs can be uploaded to our database.

  5. Can 1-4 be done automatically?
Was this article helpful?
0 out of 0 found this helpful

Comments