For anyone else who wants to use lists, get them at https://www.iblocklist.com/
$10 a year gets you access to all the paid lists (Squidblacklist, etc.) On Friday, May 23, 2014 2:58:29 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, May 23, 2014 at 2:55 PM, PAL 18 <[email protected] <javascript:>> > wrote: > > Does OSSEC work on top of Iptables? If so, ill just use iptables to > block > > the ranges. > > > > The question doesn't make sense. The active response feature can use > iptables, but other than that the two do not interact. > > The blacklist idea would be that you download the IPs/domains and > either directly block them, feed them into OSSEC and make blocks when > a host tries to access them, or block them and make OSSEC aware so > that it can alert you that a host tried to access one of these > blacklisted IPs. I generally prefer the pro-active response myself. I > block IPs on my firewall, domains on my dns server, and have OSSEC > alert when one of these suspicious IPs/domains show up in the logs so > I know to look at that host very carefully. > > > > > On Friday, May 23, 2014 2:08:37 PM UTC-4, Michael Starks wrote: > >> > >> On 05/23/2014 12:28 PM, PAL 18 wrote: > >> > Can you share the script you've made? > >> > >> Ideally, OSSEC would have a fancy update daemon that was responsible > for > >> this and rules/decoders, but it's only been talked about so far. > >> > >> I have a script which downloads from several sources and compiles into > >> CDB lists. I haven't shared it because I don't want to put it into > >> contrib and then have someone's personal site hammered with lots of > >> OSSEC users. But I can send it to you privately if you like. > >> > >> Btw, I am not entirely convinced that it works to update a CDB list > >> without restarting OSSEC. It's supposed to, but I saw some strange > >> things I have yet to look into. > >> > >> At any rate, I maintain a doc of lists I have found here: > >> > >> > https://docs.google.com/document/d/1sAI8-_kAP02IpLCYeRnoI4ZV6a3VnWeItR2SdbUb_Ps/edit?usp=sharing > > >> > >> It hasn't been updated in awhile, so comment in the doc if I should add > >> something. > >> > >> One final note: Use this info in rules wisely. Just because someone > >> connects to you from, say, a Tor IP, it might not be an indicator of > >> concern. You really need to look at this stuff in context. > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
