[Snort-devel] [Snort-users] blacklist file for reputation processor

김무성 kimms at ...3084...
Tue Jul 26 03:22:32 EDT 2011


It's good idea.
Reputation is a important factor which be needed nowdays.

Make a thread for this.



-----Original Message-----
From: Pablo [mailto:pablo.rincon.crespo at ...2499...] 
Sent: Friday, July 22, 2011 6:53 AM
To: Joel Esler
Cc: Steven Sturges; Will Metcalf; snort-devel at lists.sourceforge.net; snortdevel at ...3154...; snortusers at ...3154...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] [Snort-devel] blacklist file for reputation processor

2011/7/21 Joel Esler <jesler at ...402...>:
>
> On Jul 21, 2011, at 3:51 PM, Matthew Jonkman wrote:
>
>> Can we feed categories or anything in there, or is this just blocking?
>>
>
> Expand on what you mean here.  We have some future improvements planned for the preprocessor, but I am not sure what you mean here.

I guess that the idea would be to have multiple reputation values for
activities. Something like
1.2.3.4 spam:0, cnc:13, malware_hosting:17, others...
So maybe a shared hosting with a cnc web panel doesn't generate an
alert because of legal/legitime traffic of, let's say, mail delivering
of other domains/customers of the hosting.

>
>
>> Will rule directive be coming so we can query reputation within a stream?
>>
>
> Again, expand on what you mean.  The IP preprocessor takes place before any other preprocessor, and before the rules.

The ability to query those activities (ie, spam, malware_hosting, cnc,
...) with a rule keyword and operators to compare. So something like
alert tcp any any -> any any (msg:"probably not your wife..";
content:"viagra"; reputation:spam > 50; ...)
even with multiple evaluations
alert tcp any any -> any any (msg: ""; content: "whatever";
reputation: activityA > X or activityB >= Y...)
and even with an average of all those activities, like reputation_avg > 30

It would be nice to define some common thresholds for those
activities, and also to feedback the reputation with other type of
rules. Like
alert tcp any any -> any any (.. whatever_conditions..; reputation:
feedback activity1 +20, activity3 +5 )

I still remember a meeting at Istambul sometime ago with the dev team
of suricata, talking about this with Gurvinder and Matt and definitely
I think it's a must.
Maybe we should open a new thread for discussing a common format for
files, keywords and so on, just like with the new taxonomy (of
Alienvault / Jaime Blasco ;). I think it can work, and also it could
be open to allow other kind of security applications to query this DBs
aswell.. firewalls, HIDSs, spam checkers... even dns servers.

Just my 2 cents.

>
> J
>
>
>> Thanks Steve!
>>
>> Matt
>>
>>
>> On Jul 21, 2011, at 3:49 PM, Steven Sturges wrote:
>>
>>> The preprocessor has a config setting to ignore RFC1918 addresses,
>>> so no need to whitelist.
>>>
>>> Of course you can also blacklist your 192.168.1.1 router if
>>> you really want to.  ;)
>>>
>>> -steve
>>>
>>> On 7/21/11 3:40 PM, Will Metcalf wrote:
>>>> Perhaps you should white-list RFC1918 addresses as well there are 10.
>>>> and 192.168. addy's in those lists. Emerging Threats has a list as
>>>> well..
>>>>
>>>> http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> 2011/7/21 Alex Kirk<akirk at ...402...>:
>>>>> There is a somewhat experimental IP blacklist available at
>>>>> http://labs.snort.org/iplists/, updated on a daily basis. Those IP addresses
>>>>> are things that are touched by the VRT's malware farm - and while we've done
>>>>> some basic whitelisting (i.e. google.com's IP shouldn't show up in there),
>>>>> simply importing those lists and blocking them wholesale would probably be a
>>>>> bad idea. I would suggest cross-referencing those lists with other IP
>>>>> reputation blacklists available on the Internet.
>>>>> Sourcefire is examining more "turn-key" list solutions for the future, but
>>>>> for the time being this experimental list is all we have available.
>>>>>
>>>>> 2011/7/20 김무성<kimms at ...3084...>
>>>>>>
>>>>>> Hello list.
>>>>>>
>>>>>> I saw that release snort-2.9.1 RC.
>>>>>>
>>>>>> There are some new function that added. It’s awesome.
>>>>>>
>>>>>> One of them, ip reputation processor, it’s good idea.
>>>>>>
>>>>>>
>>>>>>
>>>>>> But important thing is a blacklist. Real blacklist.
>>>>>>
>>>>>> Is there a blacklist which sourcefire provide to public?
>>>>>>
>>>>>> Where can I get this list?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> 10 Tips for Better Web Security
>>>>>> Learn 10 ways to better secure your business today. Topics covered
>>>>>> include:
>>>>>> Web security, SSL, hacker attacks&  Denial of Service (DoS), private keys,
>>>>>> security Microsoft Exchange, secure Instant Messaging, and much more.
>>>>>> http://www.accelacomm.com/jaw/sfnl/114/51426210/
>>>>>> _______________________________________________
>>>>>> Snort-devel mailing list
>>>>>> Snort-devel at lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Alex Kirk
>>>>> AEGIS Program Lead
>>>>> Sourcefire Vulnerability Research Team
>>>>> +1-410-423-1937
>>>>> alex.kirk at ...402...
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> 5 Ways to Improve&  Secure Unified Communications
>>>>> Unified Communications promises greater efficiencies for business. UC can
>>>>> improve internal communications as well as offer faster, more efficient ways
>>>>> to interact with customers and streamline customer service. Learn more!
>>>>> http://www.accelacomm.com/jaw/sfnl/114/51426253/
>>>>> _______________________________________________
>>>>> Snort-devel mailing list
>>>>> Snort-devel at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>
>>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> 5 Ways to Improve&  Secure Unified Communications
>>>> Unified Communications promises greater efficiencies for business. UC can
>>>> improve internal communications as well as offer faster, more efficient ways
>>>> to interact with customers and streamline customer service. Learn more!
>>>> http://www.accelacomm.com/jaw/sfnl/114/51426253/
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>> ------------------------------------------------------------------------------
>>> 5 Ways to Improve & Secure Unified Communications
>>> Unified Communications promises greater efficiencies for business. UC can
>>> improve internal communications as well as offer faster, more efficient ways
>>> to interact with customers and streamline customer service. Learn more!
>>> http://www.accelacomm.com/jaw/sfnl/114/51426253/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please see http://www.snort.org/docs for documentation
>>
>>
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emergingthreats.net
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> 5 Ways to Improve & Secure Unified Communications
>> Unified Communications promises greater efficiencies for business. UC can
>> improve internal communications as well as offer faster, more efficient ways
>> to interact with customers and streamline customer service. Learn more!
>> http://www.accelacomm.com/jaw/sfnl/114/51426253/
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
> ------------------------------------------------------------------------------
> 5 Ways to Improve & Secure Unified Communications
> Unified Communications promises greater efficiencies for business. UC can
> improve internal communications as well as offer faster, more efficient ways
> to interact with customers and streamline customer service. Learn more!
> http://www.accelacomm.com/jaw/sfnl/114/51426253/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>



-- 

Best regards,

--
Pablo Rincón
CTO at Fortimotion Technologies
emergingthreatspro.com
openinfosecfoundation.org
@PabloForThePPL
------------------------------------

------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation





More information about the Snort-devel mailing list