Send VoiceOps mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/voiceops
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of VoiceOps digest..."
Today's Topics:
1. Twitter Blacklist feed (J. Oquendo)
2. Re: Twitter Blacklist feed (Simon Woodhead)
3. Re: Twitter Blacklist feed (Ryan Delgrosso)
4. Twitter blacklist feed (J. Oquendo)
----------------------------------------------------------------------
Message: 1
Date: Wed, 9 Jan 2013 13:08:53 -0600
From: "J. Oquendo" <[email protected]>
To: [email protected]
Subject: [VoiceOps] Twitter Blacklist feed
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
So I rebuilt/redesigned/re-deployed a script to add bad
hosts to a blacklist. Script is monitoring my SBCs, hosted
PBXs, etc., aggregated, sorted, then reported. Tried to
remove duplicate addresses. Also, because I deal with
forensics and malware, I did a similar script for bad sites
that are serving out malware.
For VoIP attacks, one can make a script to check for VoIP
based attackers and block them on the fly. E.g,:
links -dump twitter.com/efensive|awk '/VoIP/'
To make say an automated ipfilter rule:
links -dump twitter.com/efensive |\
awk '{print "iptables -A INPUT -s "$1" -j DROP"}' |sort -u|\
sh
Same goes for any other style rule (ASA, PIX, ScreenOS on
the command line) You get the point. Enjoy. (Cross posted to
Voice Ops)
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
------------------------------
Message: 2
Date: Wed, 9 Jan 2013 20:23:09 +0000
From: Simon Woodhead <[email protected]>
To: "J. Oquendo" <[email protected]>
Cc: [email protected]
Subject: Re: [VoiceOps] Twitter Blacklist feed
Message-ID:
<caep9jpakoadwx488-oha7zpnje3uhp3mlv6lhn1jkwuqcet...@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Hi
This is nice.
We publish similar data for honeypot attacks which might be useful to
someone:
http://mirror.simwood.com/honeypot/
There's a major caveat with any data like this though when automating and
that is the potential to spoof addresses or use well known addresses on
their behalf. There's one simple attack for example that attempts to
dictionary attack admin pages uses Google crawlers.
cheers
Simon
On 9 January 2013 19:08, J. Oquendo <[email protected]> wrote:
>
> So I rebuilt/redesigned/re-deployed a script to add bad
> hosts to a blacklist. Script is monitoring my SBCs, hosted
> PBXs, etc., aggregated, sorted, then reported. Tried to
> remove duplicate addresses. Also, because I deal with
> forensics and malware, I did a similar script for bad sites
> that are serving out malware.
>
> For VoIP attacks, one can make a script to check for VoIP
> based attackers and block them on the fly. E.g,:
>
> links -dump twitter.com/efensive|awk '/VoIP/'
>
> To make say an automated ipfilter rule:
>
> links -dump twitter.com/efensive |\
> awk '{print "iptables -A INPUT -s "$1" -j DROP"}' |sort -u|\
> sh
>
> Same goes for any other style rule (ASA, PIX, ScreenOS on
> the command line) You get the point. Enjoy. (Cross posted to
> Voice Ops)
>
> --
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
>
> 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
> _______________________________________________
> VoiceOps mailing list
> [email protected]
> https://puck.nether.net/mailman/listinfo/voiceops
>
--
--
"Here?s to the crazy ones. The misfits. The rebels. The troublemakers. The
round pegs in the square holes. The ones who see things differently.
They?re not fond of rules. And they have no respect for the status quo.You
can quote them, disagree with them, glorify or vilify them. About the only
thing you can?t do is ignore them. Because they change things. They push
the human race forward. And while some may see them as the crazy ones, we
see genius. Because the people who are crazy enough to think they can
change the world, are the ones who do."
Steve Jobs, Think
Different<http://www.youtube.com/watch?feature=player_embedded&v=8rwsuXHA7RA>
***
Simon Woodhead FCSI
Managing Director
<http://www.simwood.com>
Simwood eSMS Limited
Wholesale Telecommunications
w: http://www.simwood.com
t: @simwoodesms <https://twitter.com/#!/simwoodesms>
direct line: +44 (0) 29 2120 2121
direct fax: +44 (0) 29 2120 2021
reception: +44 (0) 29 2120 2120
main fax: +44 (0) 29 2120 2020
--
***** Email confidentiality notice *****
This message is private and confidential. If you have received this message in
error, please notify us and remove it from your system.
Simwood eSMS Limited is a limited company registered in England and Wales.
Registered number: 03379831. Registered office: c/o HW Chartered Accountants,
Keepers Lane, The Wergs, Wolverhampton, WV6 8UA. Trading address: Falcon Drive,
Cardiff Bay, Cardiff, CF10 4RU.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20130109/f2ccd47c/attachment-0001.html>
------------------------------
Message: 3
Date: Wed, 09 Jan 2013 12:32:43 -0800
From: Ryan Delgrosso <[email protected]>
To: [email protected]
Subject: Re: [VoiceOps] Twitter Blacklist feed
Message-ID: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
This is interesting, using twitter as a blacklist distribution mechanism.
While I would be weary of using this for any kind of automated blocking
purposes due to the possibility of spoofed addresses, it is an
interesting approach for sure.
I wonder if its worthwhile putting together a similar twitter watchlist
for fraudulent international numbers (IRSF destinations). I know i can
produce a pretty significant list of IRSF destinations that others may
find useful and i am sure the reverse is also true.
On 01/09/2013 11:08 AM, J. Oquendo wrote:
> So I rebuilt/redesigned/re-deployed a script to add bad
> hosts to a blacklist. Script is monitoring my SBCs, hosted
> PBXs, etc., aggregated, sorted, then reported. Tried to
> remove duplicate addresses. Also, because I deal with
> forensics and malware, I did a similar script for bad sites
> that are serving out malware.
>
> For VoIP attacks, one can make a script to check for VoIP
> based attackers and block them on the fly. E.g,:
>
> links -dump twitter.com/efensive|awk '/VoIP/'
>
> To make say an automated ipfilter rule:
>
> links -dump twitter.com/efensive |\
> awk '{print "iptables -A INPUT -s "$1" -j DROP"}' |sort -u|\
> sh
>
> Same goes for any other style rule (ASA, PIX, ScreenOS on
> the command line) You get the point. Enjoy. (Cross posted to
> Voice Ops)
>
------------------------------
Message: 4
Date: Wed, 9 Jan 2013 13:05:41 -0600
From: "J. Oquendo" <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: [VoiceOps] Twitter blacklist feed
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
So I rebuilt/redesigned/re-deployed a script to add bad
hosts to a blacklist. Script is monitoring my SBCs, hosted
PBXs, etc., aggregated, sorted, then reported. Tried to
remove duplicate addresses. Also, because I deal with
forensics and malware, I did a similar script for bad sites
that are serving out malware.
For VoIP attacks, one can make a script to check for VoIP
based attackers and block them on the fly. E.g,:
links -dump twitter.com/efensive|awk '/VoIP/'
To make say an automated ipfilter rule:
links -dump twitter.com/efensive |\
awk '{print "iptables -A INPUT -s "$1" -j DROP"}' |sort -u|\
sh
You get the point. Enjoy. (Cross posted to Voice Ops)
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
------------------------------
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
End of VoiceOps Digest, Vol 43, Issue 8
***************************************
