Normal
0
21
false
false
false
HR
X-NONE
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
Last week I posted a diary about analyzing outgoing network traffic and asked our readers to comment what data sources they use when monitoring outbound connections our users establish.
Besides the sources I listed in the original diary we got quite a few comments and some good questions, so Im combining all these in this, second, diary:
Emerging Threats RBN list: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
ET's compromised IPs list: http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt
All abuse.ch trackers: Zeus (https://zeustracker.abuse.ch/), SpyEye (https://spyeyetracker.abuse.ch/), Palevo (https://palevotracker.abuse.ch/)
.. or ET's list of bot CC's which combines abuse.ch trackers and Shadowserver: http://rules.emergingthreats.net/open/suricata/rules/botcc.rules
http://www.malwaredomainlist.com/mdl.php - a good malware domain/IP address list. There does not appear to be a list you can download, but you can update through RSS feeds they offer.
Spamhaus' Don't Route or Peer List (DROP): http://www.spamhaus.org/drop/
Alienvault also has a free IP reputation list available at https://reputation.alienvault.com/reputation.generic
Shadowserver has a great list available at http://www.shadowserver.org/wiki/pmwiki.php/Services/Downloads - you have to register though and can see only information about your own networks contacting known CC's.
These include the lists I verified in the mean time for more check comments in the first diary.
One of our readers, Arnim, also asked about a potentially very useful list of IP addresses belonging to remote access services such as LogMeIn, NetViewer and similar. Im not aware of such a list but it would be very useful. Emerging Threats has something similar a list of outgoing ToR nodes but that only helps you figure out if someone that visited your network used ToR. The list is available at http://rules.emergingthreats.net/open/suricata/rules/tor.rules
Thanks to everyone that submitted their comments, including Christian, Ben, Arnim, Hal, Matt, Brent and many others.
--
Bojan
INFIGO IS
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.