[unisog] Spyware list

Russell Fulton r.fulton at auckland.ac.nz
Sat Feb 12 20:54:33 GMT 2005


On Sat, 2005-02-12 at 10:19 -0600, John Kristoff wrote:
> On Sat, 12 Feb 2005 16:35:35 +1300
> Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> 
> > I wonder if I dare to build a pf table from that list and use it to
> > block traffic?  Can anyone think of legitimate reasons why someone might
> > visit any of these sites?
> 
> Russell, note I haven't gone through the list and verified if any
> of the sites might be legitimate, but one word of caution is if
> blocked by IP address, the IP address may be either a) transient
> or b) a shared web hosting address. 

Ah, I had not thought of shared hosting, good point.  I also suspect
that these addresses are very much a moving target and you are dependent
on how assiduous this crowd are at keeping the list up to the minute. 

>  All the usual caveats about
> relying on any particular blacklist apply of course.
> 
> You might dare build a list to first report on traffic.

Now that's a bloody good idea!  I will write a script to convert the
list into snort rules and load them on my spyware sensor along with all
the bleeding edge rules.  Hmmm.... might have to investigate the
threshold stuff now so we don't get too many alerts.

Russell.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050213/eecdfa7a/smime-0002.bin


More information about the unisog mailing list