[Dshield] Dshield Reports

stu secmail at patchsupplier.dyndns.org
Sun Aug 28 01:32:13 GMT 2005


I was researching the samething a few weeks ago. I came across
http://www.bluetack.co.uk

They have an application on there called "block list manager", it allows
you to create your own blocklist. They have a list to choose from such
as advertising ranges, Trojans list, spyware lists, there's a fair few. 

I created a c# app that added the created range from this software to
the windows packet filtering api. It was a good play. I think the
extended Dshield list would be awesome for a sort of distributed
blocklist, but what's on the blocklist will get blocked by a firewall
anyway. A bunch of snort boxes that record the IPs or broken rules and
published to a database might be more helpful for this kind of scenario?


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of George A. Theall
Sent: 27 August 2005 00:28
To: General DShield Discussion List
Subject: Re: [Dshield] Dshield Reports

On Fri, Aug 26, 2005 at 10:32:27AM -0500, bpennell at coxhealthplans.com
wrote:

> I'm considering adding the Dshield Blocklist to my IPTables FW. I do
> have a couple questions.
> 
> Is there a larger list (as in Top 100 subnets)?

I've not seen a larger list from DShield / SANS.  But you might consider
incorporating the Spamhaus Don't Route Or Peer List --
http://www.spamhaus.org/drop/index.lasso -- into your firewall as it
covers known zombies / spam operations.

> I'm also considering scripting the Top 10 Offenders list into a chain.
> I am aware that some of those offenders are already blocked by the
> Dshield Blocklist, but not all.

Before you roll your own solution, check out my update-blocklist Perl
script -- http://www.tifaware.com/perl/update-blocklist/.  It generates
rules for an iptables-based firewall based on static and dynamic
blocklists.  Out of the box, it supports both DShield.org's and
Spamhaus' DROP list but it should be flexible enough to support others. 

> How often is the Top 10 Offenders list updated?

Johannes can answer this better than I, but given that it supposedly
reflects the top offenders over the past 3 days I doubt it changes much.


George
-- 
theall at tifaware.com



More information about the list mailing list