osdir.com
mailing list archive

Subject: RE: RBN CIDRs - RussianBusinessNetworkIPs.txt - msg#00044

List: security.ids.snort.bleedingsnort

Date: Prev Next Index Thread: Prev Next Index
> Why do you say that? Is the compromised list in total too much for some
> boxes?

1) Knowing that there's traffic to the RBN is different from knowing that
there's traffic to a compromised machine (ankle biters vs organized crime).

2) Yes, the compromised list is too long (at least for me).

3) Pragmatically, while I am interested in all communications with
compromised systems, I am more interested in communications with the RBN.

Ps. the RBN aren't "compromised" systems in the usual sense. They are
*intentionally* configured with malicious intent.


Was this page helpful?
Yes No
Thread at a glance:

Previous Message by Date: click to view message preview

Re: RBN CIDRs - RussianBusinessNetworkIPs.txt

Why do you say that? Is the compromised list in total too much for some boxes? matt Reg Quinton wrote: >> I'll err on the side of caution and not include them in the permanent >> RBN list that goes into the compromised hosts ruleset. > > Personally, I'd prefer if the RBN list was a separate rule set and not > buried in the list of "compromised" systems. > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats US Phone 765-429-0398 US Fax 312-264-0205 AUS Phone 61-42-4157-491 AUS Fax 61-29-4750-026 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc

Next Message by Date: click to view message preview

RBN and theplanet.com (was: RBN CIDRs - RussianBusinessNetworkIPs.txt)

On Sun, Oct 28, 2007 at 05:41:31PM -0700, Darren Spruell wrote: > On 10/25/07, Darren Spruell > <phatbuckett-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> wrote: > > I think the Bleeding project maintained by James McQuaid is interesting. > > > > The current RussianBusinessNetworkIPs.txt looks to have the full > > collection of CIDR blocks contained in the RBN ROKSO blacklist from > > Spamhaus as well as 26 other CIDRs that are affiliated. I notice in > > those some /32 addresses and similar that appear to be part of larger > > CIDRs defined already causing a bit of redundancy. > > On this note, I trimmed the list down and made some minor edits, > hoping they're inline with the intent of the list. I took out smaller > subnets and individual addresses where a larger supernet was listed > that contained those address blocks, and I added an explicit /32 to > some of the individual IPs that were listed just to keep it > consistent. > > Better, worse? > > DS [...] > 67.18.0.0/15 This netblock is quite huge. Is there some usable smaller range in there? I get lots of hits on 67.18.199.130 sm46.avast.com (Antivirus firm) 67.19.167.98 a3.creativecommons.org so I need to drop that network from the list. Any pointers how theplanet.com is related to RBN? Regards, Markus

Previous Message by Thread: click to view message preview

Re: RBN CIDRs - RussianBusinessNetworkIPs.txt

Why do you say that? Is the compromised list in total too much for some boxes? matt Reg Quinton wrote: >> I'll err on the side of caution and not include them in the permanent >> RBN list that goes into the compromised hosts ruleset. > > Personally, I'd prefer if the RBN list was a separate rule set and not > buried in the list of "compromised" systems. > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats US Phone 765-429-0398 US Fax 312-264-0205 AUS Phone 61-42-4157-491 AUS Fax 61-29-4750-026 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc

Next Message by Thread: click to view message preview

Re: RBN CIDRs - RussianBusinessNetworkIPs.txt

All very good points. And yes, a better name for the compromised list might be the hostile list. But thats just semantics. I'm leaning toward then making a separate RBN only ruleset. I hate to make more and more sets, but this seems worth it. Anyone have other suggestions, or comments for/against before I go ahead and do so? Matt Reg Quinton wrote: >> Why do you say that? Is the compromised list in total too much for some >> boxes? > > 1) Knowing that there's traffic to the RBN is different from knowing that > there's traffic to a compromised machine (ankle biters vs organized crime). > > 2) Yes, the compromised list is too long (at least for me). > > 3) Pragmatically, while I am interested in all communications with > compromised systems, I am more interested in communications with the RBN. > > Ps. the RBN aren't "compromised" systems in the usual sense. They are > *intentionally* configured with malicious intent. > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats US Phone 765-429-0398 US Fax 312-264-0205 AUS Phone 61-42-4157-491 AUS Fax 61-29-4750-026 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc
Sign up for updates to this mailing list. email:
Loading Comments...
Home | News | Patents | Sitemap | FAQ | advertise

Advertising by