[Oisf-devel] [Snort-devel] [Snort-users] blacklist file for reputation processor

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Jul 26 12:24:53 UTC 2011 

More inline, but the other replies were on target. 

We have plans for directives for this in suricata, it'd be VERY nice if we could keep consistent conventions here. More:

(cc'ing in the suricata lists, as it's cross-relevant)

On Jul 21, 2011, at 4:13 PM, Joel Esler wrote:
>> Can we feed categories or anything in there, or is this just blocking?
>> 
> 
> Expand on what you mean here.  We have some future improvements planned for the preprocessor, but I am not sure what you mean here.
> 

At this point it looks like we can just block anything on the list, not categorize, tag, or anything else, correct? (Still a great start! Glad to have that)


> 
>> Will rule directive be coming so we can query reputation within a stream?
>> 
> 
> Again, expand on what you mean.  The IP preprocessor takes place before any other preprocessor, and before the rules.  

In suricata we're going to have a directive like so:

reputation: <src,dst,either>, ip|dns, category, =<>, int;

Something like that. So we can in the rule query if it's above or below a certain reputation level (+100 to -100, + being very good, - being bad, and 0 meaning no data.)

So we can use reputation to NOT alert on known very good places (google, our own internal resources, etc). We can also use it to alert on known bad, or kinda bad plus another factor.

We're still flexible in how we define these directives for suricata, so if we can all agree on something it's definitely in everyone's interest for us to do this the same way, regardless of background implementation.

So an example of what I'm thinking for the above:

reputation: src, ip, BotCnC, <=, -50;

Plain english, source IP has a reputation of -50 or less in the Bot CNC category.

I suppose we'd need to be able to take a list of categories and call a hit good on any or all.

Will that work with what you all at snort have in mind? 

matt

> 
> J
> 
> 
>> Thanks Steve!
>> 
>> Matt
>> 
>> 
>> On Jul 21, 2011, at 3:49 PM, Steven Sturges wrote:
>> 
>>> The preprocessor has a config setting to ignore RFC1918 addresses,
>>> so no need to whitelist.
>>> 
>>> Of course you can also blacklist your 192.168.1.1 router if
>>> you really want to.  ;)
>>> 
>>> -steve
>>> 
>>> On 7/21/11 3:40 PM, Will Metcalf wrote:
>>>> Perhaps you should white-list RFC1918 addresses as well there are 10.
>>>> and 192.168. addy's in those lists. Emerging Threats has a list as
>>>> well..
>>>> 
>>>> http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
>>>> 
>>>> Regards,
>>>> 
>>>> Will
>>>> 
>>>> 2011/7/21 Alex Kirk<akirk at sourcefire.com>:
>>>>> There is a somewhat experimental IP blacklist available at
>>>>> http://labs.snort.org/iplists/, updated on a daily basis. Those IP addresses
>>>>> are things that are touched by the VRT's malware farm - and while we've done
>>>>> some basic whitelisting (i.e. google.com's IP shouldn't show up in there),
>>>>> simply importing those lists and blocking them wholesale would probably be a
>>>>> bad idea. I would suggest cross-referencing those lists with other IP
>>>>> reputation blacklists available on the Internet.
>>>>> Sourcefire is examining more "turn-key" list solutions for the future, but
>>>>> for the time being this experimental list is all we have available.
>>>>> 
>>>>> 2011/7/20 김무성<kimms at infosec.co.kr>
>>>>>> 
>>>>>> Hello list.
>>>>>> 
>>>>>> I saw that release snort-2.9.1 RC.
>>>>>> 
>>>>>> There are some new function that added. It’s awesome.
>>>>>> 
>>>>>> One of them, ip reputation processor, it’s good idea.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> But important thing is a blacklist. Real blacklist.
>>>>>> 
>>>>>> Is there a blacklist which sourcefire provide to public?
>>>>>> 
>>>>>> Where can I get this list?
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> 10 Tips for Better Web Security
>>>>>> Learn 10 ways to better secure your business today. Topics covered
>>>>>> include:
>>>>>> Web security, SSL, hacker attacks&  Denial of Service (DoS), private keys,
>>>>>> security Microsoft Exchange, secure Instant Messaging, and much more.
>>>>>> http://www.accelacomm.com/jaw/sfnl/114/51426210/
>>>>>> _______________________________________________
>>>>>> Snort-devel mailing list
>>>>>> Snort-devel at lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Alex Kirk
>>>>> AEGIS Program Lead
>>>>> Sourcefire Vulnerability Research Team
>>>>> +1-410-423-1937
>>>>> alex.kirk at sourcefire.com
>>>>> 
>>>>> ------------------------------------------------------------------------------
>>>>> 5 Ways to Improve&  Secure Unified Communications
>>>>> Unified Communications promises greater efficiencies for business. UC can
>>>>> improve internal communications as well as offer faster, more efficient ways
>>>>> to interact with customers and streamline customer service. Learn more!
>>>>> http://www.accelacomm.com/jaw/sfnl/114/51426253/
>>>>> _______________________________________________
>>>>> Snort-devel mailing list
>>>>> Snort-devel at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>> 
>>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> 5 Ways to Improve&  Secure Unified Communications
>>>> Unified Communications promises greater efficiencies for business. UC can
>>>> improve internal communications as well as offer faster, more efficient ways
>>>> to interact with customers and streamline customer service. Learn more!
>>>> http://www.accelacomm.com/jaw/sfnl/114/51426253/
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> 
>>> ------------------------------------------------------------------------------
>>> 5 Ways to Improve & Secure Unified Communications
>>> Unified Communications promises greater efficiencies for business. UC can 
>>> improve internal communications as well as offer faster, more efficient ways
>>> to interact with customers and streamline customer service. Learn more!
>>> http://www.accelacomm.com/jaw/sfnl/114/51426253/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> Please see http://www.snort.org/docs for documentation
>> 
>> 
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emergingthreats.net
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> 
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>> 
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> 5 Ways to Improve & Secure Unified Communications
>> Unified Communications promises greater efficiencies for business. UC can 
>> improve internal communications as well as offer faster, more efficient ways
>> to interact with customers and streamline customer service. Learn more!
>> http://www.accelacomm.com/jaw/sfnl/114/51426253/
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> 
> ------------------------------------------------------------------------------
> 5 Ways to Improve & Secure Unified Communications
> Unified Communications promises greater efficiencies for business. UC can 
> improve internal communications as well as offer faster, more efficient ways
> to interact with customers and streamline customer service. Learn more!
> http://www.accelacomm.com/jaw/sfnl/114/51426253/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Oisf-devel mailing list