Page tree

Contents

To Setup an Account

Setting up an account involves a few simple steps. All of our directions past this point will assume that you have already logged into your ThreatSTOP account and are looking at the Home tab.

  1. Go to the ThreatSTOP main page.
  2. Click Free Trial.
  3. Fill out the requested user information and click Submit.
  4. An email will be sent to your inbox and a Sales representative will be in contact shortly to walk you through the setup of your account.

Setup Your Devices in the ThreatSTOP User Portal

The following information will define the various fields and tabs, and explain the setup of the ThreatSTOP website. After the field definitions there will be a brief set of instructions to setup your account.

After logging in, the screen to the right will be displayed. This is the main ThreatSTOP interface screen. It is broken down between multiple tabs and sub-tabs.

Available at the top of the Portal page is a Check IP address field. Entering an IP address in this field will allow for at-a-glance IP analysis with the BIND dig utility. More information about Check IP can be found in the Logs section.

All of our directions from this point out will assume that you have already logged into your ThreatSTOP account and are looking at the Home tab.

Home

This is the summary for your ThreatSTOP account. It consists of two sections as delineated here:

  • My ThreatSTOP: This section summarizes your account properties, entitlements, and behaviors. Available fields are:
    • My ThreatSTOP Plan: This field shows how many devices are associated with a given ThreatSTOP account, and what mode the account has been placed into. Two modes are available – Standard and Expert – and may be setup during account provisioning.
    • Current Protection: Lists devices that are currently protected and how many policies are available for use.
    • Latest Threat Update: Shows when the configuration threat lists were last updated.
    • Last Sign in: Shows the last time this account was logged into. Clicking on the title to this field will bring up a log of login timestamps.
  • Devices: Lists any devices currently associated with the ThreatSTOP account. This table shows a default of 10 devices, but may be changed using the Show 10 entries drop down to display up to 100 devices per page.
    The device list itself is comprised of six fields which display information gathered from the Devices tab. As such they will not be defined here. More information may be found in Adding a Device.

Devices

Lists any devices under ThreatSTOP protection, and may be used to add a device to be protected by clicking + Add Device. The following field entries appear in the main list, and are adjusted through the + Add Device menu.

Note:

+ Add Device will not display if all available spots are filled.

  • #: The order in which the device was added to the list, and how many devices are assigned to an account is displayed.
  • Nickname: The nickname assigned to a device, this should be something descriptive of the device, such as its location.
  • Manufacturer: The manufacturer of the device. This is used to help establish your setup procedures. Currently supported devices and manufacturers are included in the table below.
  • Model: The model of the device being modified, these selections are device specific. The Device menu lists our currently supported firewall devices and provides links to instructions to setup each model.

  • IP Address: The Public IP address associated with the device.
  • Policy: The policy currently applied to the device.

Adding a Device

Adding a device to ThreatSTOP is a straight forward process. To add a device to ThreatSTOP:

  1. Click on Devices.
  2. If you have an available seat the + Add Device icon will display. Click on this icon to continue.
    The Edit Device window pop-up will display.
  3. Enter a Nickname for the device (we recommend a description of the device, or the network name of the device).
  4. Select the Manufacturer of the device. See the field descriptions in To Setup your Devices in the ThreatSTOP Website for a list of supported device manufacturers.
  5. The Model or type of device being installed.
  6. The IP Type (Static or Dynamic) used by the device.
  7. The IP Address of the device. The device address to use can be determined by visiting: http://www.threatstop.com/cgi-bin/validip.pl
  8. In the Location dropdown select the country you reside in. This is an optional field.
  9. If your country uses Postal or ZIP Codes enter yours in the Postal Code field. This is an optional field.
  10. Select the policy you wish to run the device under, this may be a ThreatSTOP provided default policy, or a custom policy of your own creation.
  11. Click Next.
    A message offering help with adding your policy to your device will appear. Clicking here or Rules will take you to this help page. Clicking Done will return you to the ThreatSTOP portal.
  12. Click Done.

Logs

The logs tab is used to check the contents of system logs, as well as upload user logs. It is comprised of three subtabs:

  • Check Logs: By copying and pasting a section of a log file into this screen a summary of log information will be displayed in a table above the log entry field.
  • User Log Submission: Users may submit logs to ThreatSTOP for analysis.

Check Logs

Once a section of a log file has been copied and pasted into the text box, click on Check Log to have the data analyzed. A screen similar to the one to the right will display, with summary and detailed information. Information may display in bold text or plain text. Bold text is related to IPs that are actively being blocked by ThreatSTOP. Plain text indicates that the IP was hostile in the past.

  • IPs checked: This number shows the number of unique IP addresses in the log section being assessed.
  • Known: Number of IP addresses known to ThreatSTOP in the provided log.
  • Unknown: IP addresses in the list that are not known by ThreatSTOP.
  • Bot or Trojan IPs: Lists the IP addresses culled from the log snippet. Placing the mouse cursor over an IP will provide links to research groups that know of this IP and have provided us with the information we used to determine that the IP should be blocked. These may appear in bold or unformatted text.
  • # Connections: The number of times the IP address attempted to connect according to the log file. Results may appear in a few different patterns:
    • The Bot or Trojan IP may appear once, with multiple connections. This means that the target attempted to dial home or attack repeatedly and was successfully blocked each time.
    • If the same IP appears multiple times with one Blocker listed it means that multiple clients on the same subnet have been compromised. Since ThreatSTOP does not (currently) show CIDR numbers, the IP is listed once for each recorded attack or dial home and was blocked every time.
    • If the connection appears multiple times on multiple blockers, this is because the target is known to be compromised through multiple methods and has been blocked in every attempt.
  • First Identified: When a connection attempt was first identified from the offending system.
  • Last Seen: The last time a connection attempt was last made.
  • Blockers: The blockers responsible for blocking the connection attempt.

Additionally, results may be further refined by clicking on the following labels at the bottom of the analysis; labels displayed in black text on a white background are currently active:

  • Geographical IP: Selecting this will only show IP addresses for which we have Geographical data.
  • All: Clicking this will show your entire history of attacks, as gathered from your log submissions.
    • Last 7 Days: Filters the date range down to the last week of log submissions. This is the default display.
    • Last Month: Filters the date range down to the last 30 days of log submissions.
  • Experimental Lists: Clicking this will list targets that are marked experimental by ThreatSTOP. These targets are likely to be under investigation by us.

User Log Submission

This tab allows users to submit their log files for research and analysis by our servers. Once the log is uploaded our servers pull it apart, read the data and compare it against known hostile IPs and sort out any unrecognized IPs for further processing.

  • Nickname: The name of the device that the log was pulled from. Users with large numbers of devices will need to properly associate the device the log is from, with the device nickname.
  • IP Address: The public address of the device that generated the log.
  • File: Provides two commands:
    • Browse: Opens a File Upload dialog box to allow you to browse for and select the file to be uploaded.
    • Upload: Once the log file is associated with the device, clicking this button will send it to our servers for processing.
  • Status: Shows whether the log upload was successful or failed.

My Account

Displays the user's account information, including contact information, ID, and any third-party access allowed, this screen also allows user information to be modified and updated as needed. Additionally if the user has been granted rights to modify another account, the email address of that account will be displayed under Accounts I can manage.

Note:

Only email addresses that have been added into the Portal can be granted third-party access.

Adding Third-Party Access

  1. Click on + Grant Access to my account.The Grant Access to my account pop-up appears.
  2. In the empty box in the middle of the pop-up enter the email address of the person to be granted access to the account.
  3. If access should be limited to only pulling reports, and not adjusting firewall policies, tick the box next to Limit to reporting only.
  4. Click Add.