IP Reputation Blacklist file

[Wayne Veilleux]

Hi folks,

Is there an "Open Source" (or free services) IP Reputation Blacklisting database where we can download a maintained file of "bad IPs" to include into the preprocessor reputation function in Snort ?

/Wayne

[Mark Moore]

Great question. I would also like to know if this is available.

[Wayne Veilleux]

On OSSIM project, I found this file https://reputation.alienvault.com/reputation.data but I'm not aware if we can use this file "freely". The format seems to be OK to use it with the preprocessor reputation function in Snort. I'll do a test and let you know.

/Wayne

[Paul Halliday]

Did you look at Emerging Threats IP lists?

compromised-ips.txt
rbn-ips.txt
rbn-malvertisers-ips.txt

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.



--
Paul Halliday
http://www.pintumbler.org/

[Joel Esler]

The newest release of Pulledpork (don’t know if it has made it into SO yet) has our our free IP blacklist feed built into it.

--
Joel Esler
AEGIS Intelligence Lead
OpenSource Manager
Vulnerability Research Team, Sourcefire

[Wayne Veilleux]

Joel, are you taking about pulled pork version 0.7.0 ? We run the latest SO here and I just checked and we have version 0.6.1 (/usr/bin/pulledpork.pl -V - PulledPork v0.6.1 the Smoking Pig) so this feature is not available yet.
/Wayne

[Heine Lysemose]

Please see the roadmap, https://code.google.com/p/security-onion/wiki/Roadmap. The upgrade is scheduled to be done in December.

/Lysemose

[we...@advancedcybersecurity.co.uk]

I havent seen any update on this but very interested to know if it blacklists made it into the product, does anyone know?

[Doug Burks]

Hi Wendy,

Security Onion now includes the newer version of PulledPork referenced
earlier in this thread:

pulledpork.pl -V
PulledPork v0.7.0 - Swine Flu!

However, if you upgraded from an older version of PulledPork, then you
may not have the new configuration lines for VRT Blacklisting in your
/etc/nsm/pulledpork/pulledpork.conf. The new config lines can be
found in /etc/nsm/templates/pulledpork/pulledpork.conf and are as
follows:

# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
# This format MUST be followed to let pulledpork know that this is a blacklist
#rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open

You can copy those lines into your /etc/nsm/pulledpork/pulledpork.conf
and then un-comment the rule_url line to enable it. You may then need
to update your Snort configuration to read the blacklist downloaded by
PulledPork.

> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Charles Francis]

Hi Doug,
Does a "rule-update" from the sensor pull the list files down from the server?

[Doug Burks]

No, the best method for distributed intel is to use the Bro Intel
framework and Salt. Any Bro intel that you put into
/opt/bro/share/bro/intel/ on the master server will get replicated to
all sensors every 15 minutes by Salt:
http://blog.securityonion.net/2014/09/new-securityonion-bro-scripts.html