Recommended staple IPv4, IPv6, DNSBL lists
-
I realize what works for you may not be ideal for me and vice versa, but what are the recommended lists that you have on your pfBlockerNG setup that you consider staples?
-
CINS_Army
ET_Block (includes DShield/ISC)
ET_Comp
Spamhaus_Drop
Spamhaus_eDrop
BDS_TOR
Spamhaus_Drop6Note several of these also show up in Snort/Suricata rulesets, don't use both.
-
@steveits said in Recommended staple IPv4, IPv6, DNSBL lists:
Note several of these also show up in Snort/Suricata rulesets, don't use both.
Thanks! Out curiosity why not use both? and how can tell if they show up in rulesets?
-
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
https://isc.sans.edu/api/threatlist/shadowserver/?xml
https://isc.sans.edu/api/threatlist/shodan/?xml
-
Hi, for me and my home with two office's and after trying different list and combos. Have settled on just these 4 for DNSBL. The easy lists are set as the primary.
-easy list
-easy privacy
-adaway
-Dan Pollock SWC -
@uglybrian Thanks! Any idea what the difference is between the Malicious and Malicious2 groups? I added both, but a list in Malicious2 group blocked sites like amazon.com and cnn.com for example. So I just removed the Malicious2 group altogether.
-
I do not know the difference between the two lists. But, I would say that any block list with Amazon and CNN is more for bandwidth control in a big company. Just a guess.I have found that with a home /office when it comes to DNSBL that less is more. In exploring the feeds I have noticed lot of these list overlap each other.I settled on my given list through trial and error. And only chose feeds that showed when they have been updated. (see last line of posted pic below) My only goal was to block the most ads and spy,etc with the shortest lists. I kept a seat of the pants track of hits per list size on the feeds. Along with angry shouts of why is this blocked. Eventually settled on the the 4 I listed.
-
@code4food23 said in Recommended staple IPv4, IPv6, DNSBL lists:
why not use both? and how can tell if they show up in rulesets
There's no point in scanning for DROP packets in Snort if they were blocked by the firewall. Category emerging-drop.rules is the Spamhaus DROP list. Click the category name to open the file and it usually has a note explaining what it is.
