[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-devel
Subject: Re: [Snort-devel] [Snort-users] blacklist file for reputation
From: Matthew Jonkman <jonkman () emergingthreatspro ! com>
Date: 2011-07-26 12:24:53
Message-ID: 34263D11-7547-433B-8AD1-3510BCD3DEA1 () emergingthreatspro ! com
[Download RAW message or body]
More inline, but the other replies were on target.
We have plans for directives for this in suricata, it'd be VERY nice if we could keep \
consistent conventions here. More:
(cc'ing in the suricata lists, as it's cross-relevant)
On Jul 21, 2011, at 4:13 PM, Joel Esler wrote:
> > Can we feed categories or anything in there, or is this just blocking?
> >
>
> Expand on what you mean here. We have some future improvements planned for the \
> preprocessor, but I am not sure what you mean here.
At this point it looks like we can just block anything on the list, not categorize, \
tag, or anything else, correct? (Still a great start! Glad to have that)
>
> > Will rule directive be coming so we can query reputation within a stream?
> >
>
> Again, expand on what you mean. The IP preprocessor takes place before any other \
> preprocessor, and before the rules.
In suricata we're going to have a directive like so:
reputation: <src,dst,either>, ip|dns, category, =<>, int;
Something like that. So we can in the rule query if it's above or below a certain \
reputation level (+100 to -100, + being very good, - being bad, and 0 meaning no \
data.)
So we can use reputation to NOT alert on known very good places (google, our own \
internal resources, etc). We can also use it to alert on known bad, or kinda bad plus \
another factor.
We're still flexible in how we define these directives for suricata, so if we can all \
agree on something it's definitely in everyone's interest for us to do this the same \
way, regardless of background implementation.
So an example of what I'm thinking for the above:
reputation: src, ip, BotCnC, <=, -50;
Plain english, source IP has a reputation of -50 or less in the Bot CNC category.
I suppose we'd need to be able to take a list of categories and call a hit good on \
any or all.
Will that work with what you all at snort have in mind?
matt
>
> J
>
>
> > Thanks Steve!
> >
> > Matt
> >
> >
> > On Jul 21, 2011, at 3:49 PM, Steven Sturges wrote:
> >
> > > The preprocessor has a config setting to ignore RFC1918 addresses,
> > > so no need to whitelist.
> > >
> > > Of course you can also blacklist your 192.168.1.1 router if
> > > you really want to. ;)
> > >
> > > -steve
> > >
> > > On 7/21/11 3:40 PM, Will Metcalf wrote:
> > > > Perhaps you should white-list RFC1918 addresses as well there are 10.
> > > > and 192.168. addy's in those lists. Emerging Threats has a list as
> > > > well..
> > > >
> > > > http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
> > > >
> > > > Regards,
> > > >
> > > > Will
> > > >
> > > > 2011/7/21 Alex Kirk<akirk@sourcefire.com>:
> > > > > There is a somewhat experimental IP blacklist available at
> > > > > http://labs.snort.org/iplists/, updated on a daily basis. Those IP \
> > > > > addresses are things that are touched by the VRT's malware farm - and while \
> > > > > we've done some basic whitelisting (i.e. google.com's IP shouldn't show up \
> > > > > in there), simply importing those lists and blocking them wholesale would \
> > > > > probably be a bad idea. I would suggest cross-referencing those lists with \
> > > > > other IP reputation blacklists available on the Internet.
> > > > > Sourcefire is examining more "turn-key" list solutions for the future, but
> > > > > for the time being this experimental list is all we have available.
> > > > >
> > > > > 2011/7/20 ±è¹«¼º<kimms@infosec.co.kr>
> > > > > >
> > > > > > Hello list.
> > > > > >
> > > > > > I saw that release snort-2.9.1 RC.
> > > > > >
> > > > > > There are some new function that added. It¡¯s awesome.
> > > > > >
> > > > > > One of them, ip reputation processor, it¡¯s good idea.
> > > > > >
> > > > > >
> > > > > >
> > > > > > But important thing is a blacklist. Real blacklist.
> > > > > >
> > > > > > Is there a blacklist which sourcefire provide to public?
> > > > > >
> > > > > > Where can I get this list?
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ------------------------------------------------------------------------------
> > > > > > 10 Tips for Better Web Security
> > > > > > Learn 10 ways to better secure your business today. Topics covered
> > > > > > include:
> > > > > > Web security, SSL, hacker attacks& Denial of Service (DoS), private \
> > > > > > keys, security Microsoft Exchange, secure Instant Messaging, and much \
> > > > > > more. http://www.accelacomm.com/jaw/sfnl/114/51426210/
> > > > > > _______________________________________________
> > > > > > Snort-devel mailing list
> > > > > > Snort-devel@lists.sourceforge.net
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Alex Kirk
> > > > > AEGIS Program Lead
> > > > > Sourcefire Vulnerability Research Team
> > > > > +1-410-423-1937
> > > > > alex.kirk@sourcefire.com
> > > > >
> > > > > ------------------------------------------------------------------------------
> > > > > 5 Ways to Improve& Secure Unified Communications
> > > > > Unified Communications promises greater efficiencies for business. UC can
> > > > > improve internal communications as well as offer faster, more efficient \
> > > > > ways to interact with customers and streamline customer service. Learn \
> > > > > more! http://www.accelacomm.com/jaw/sfnl/114/51426253/
> > > > > _______________________________________________
> > > > > Snort-devel mailing list
> > > > > Snort-devel@lists.sourceforge.net
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > > >
> > > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > 5 Ways to Improve& Secure Unified Communications
> > > > Unified Communications promises greater efficiencies for business. UC can
> > > > improve internal communications as well as offer faster, more efficient ways
> > > > to interact with customers and streamline customer service. Learn more!
> > > > http://www.accelacomm.com/jaw/sfnl/114/51426253/
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > >
> > > ------------------------------------------------------------------------------
> > > 5 Ways to Improve & Secure Unified Communications
> > > Unified Communications promises greater efficiencies for business. UC can
> > > improve internal communications as well as offer faster, more efficient ways
> > > to interact with customers and streamline customer service. Learn more!
> > > http://www.accelacomm.com/jaw/sfnl/114/51426253/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users@lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please see http://www.snort.org/docs for documentation
> >
> >
> > ----------------------------------------------------
> > Matthew Jonkman
> > Emergingthreats.net
> > Emerging Threats Pro
> > Open Information Security Foundation (OISF)
> > Phone 866-504-2523 x110
> > http://www.emergingthreatspro.com
> > http://www.openinfosecfoundation.org
> > ----------------------------------------------------
> >
> > PGP: http://www.jonkmans.com/mattjonkman.asc
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > 5 Ways to Improve & Secure Unified Communications
> > Unified Communications promises greater efficiencies for business. UC can
> > improve internal communications as well as offer faster, more efficient ways
> > to interact with customers and streamline customer service. Learn more!
> > http://www.accelacomm.com/jaw/sfnl/114/51426253/
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
> ------------------------------------------------------------------------------
> 5 Ways to Improve & Secure Unified Communications
> Unified Communications promises greater efficiencies for business. UC can
> improve internal communications as well as offer faster, more efficient ways
> to interact with customers and streamline customer service. Learn more!
> http://www.accelacomm.com/jaw/sfnl/114/51426253/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
------------------------------------------------------------------------------
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic