> On 22 Jan 2020, at 20:35, Tim FitzGeorge wrote: > > Hello Michael, > > On 06/01/2020 11:21, Michael Tremer wrote: >> Hello Tim, >> >>> On 28 Dec 2019, at 21:17, Tim FitzGeorge wrote: >>> >>> Hi, >>> >>> Having decided that we'll categorise the lists, the question is what >>> categories to use. They need to be: >>> >>> - Short (to fit on the screen) >>> - Easily translatable >>> - and above all, useful. >>> >>> Looking at the lists the obvious categories are: >>> >>> - Invalid Address (on the public internet) >>> BOGON, BOGON_FULL >>> >>> - Scanner (not by itself malicious) >>> SHODAN >>> >>> - Application (potentially unwanted) >>> TOR_ALL, TOR_EXIT >>> >>> - Malware C & C >>> FEODO_RECOMMENDED, FEODO_IP, FEODO_AGGRESIVE >>> >>> - Composite >>> EMERGING_FWRULE >> >> I like all these a lot. >> >>> Less obvious are: >>> >>> - Reputation >>> ALIENVAULT, CIARMY, SPAMHAUS_DROP, SPAMHAUS_EDROP >>> >>> - Attacks >>> BLOCKLIST_DE, DSHIELD, EMERGING_COMPROMISED >> >> I even like those two, although I would potentially consider merging > “Invalid Address” and Reputation. They are kind of the same to me. IP > addresses I under no circumstances I want to talk to. > > I think I'd rather keep them separate, since conceptually they're rather > different. Also, if your red interface has a private address, you > definitely wouldn't want to enable these lists. Yes, that makes sense. > >> >> I also like the Attacks category, although the name is very generic. > But I cannot come up with anything better. The only thing that might be > worth considering is to merge it with Malware and just call it “Malicious”. > > I suspect that anything more specific that Attacks is going to only > describe a single list. It's (unfortunately) a catch-all category for > anything that doesn't fit better somewhere else. > > I'd rather not merge it with Malware C&C since the behaviour of the two > is rather different - under most circumstances lists in this category > shouldn't block any packets, whereas the Attacks category is expected to > block a lot of inbound traffic. I can follow your argument and I am all for it. However I am not sure if this is obvious from the category names. Instead of wasting too much time thinking about them (because I am sure that we can slice this cake in many different ways) I am okay with what you proposed if everybody else is. -Michael > >> >>> I'm not sure that the distinction between these two is going to be >>> helpful to most people (I'm not sure I understand it myself). >>> >>> We could use: >>> >>> - Top attackers >>> DSHIELD, EMERGING_COMPROMISED, SPAMHAUS_DROP, SPAMHAUS_EDROP >>> >>> - Other attackers >>> ALIENVAULT, BLOCKLIST_DE, CIARMY >>> >>> but that might be making a distinction that is better made by the user. >> >> Agreed. It is not obvious why some are top attackers and others are not. >> >> So I would 100% prefer the first option from above. >> >> Best, >> -Michael >> > > Tim > >>> >>> Any opinions? >>> >>> Tim >>> >>> >>> On 18/12/2019 12:10, Michael Tremer wrote: >>>> Hi, >>>> >>>>> On 16 Dec 2019, at 23:05, Tom Rymes wrote: >>>>> >>>>> On 12/16/2019 5:20 PM, Michael Tremer wrote:> Hi, >>>>>> >>>>>>> On 16 Dec 2019, at 20:06, Tim FitzGeorge > wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I've attached the current GUI screenshot. >>>>>> >>>>>> Thanks for that. >>>>>> >>>>>> I have a couple of suggestions/concerns about it: >>>>> >>>>> [snip] >>>>> >>>>>> c) I would suggest to remove the “safe” column because that is a > very hard summary of what the lists do. We should explain that on the > wiki. I guess this is too complicated to explain to our users in one > sentence and it needs at least a page of text. People who do not read > that have you just lost out. >>>>> >>>>> [snip] >>>>> >>>>> May I opine that the "Safe" information would be helpful to me in > the WUI. Perhaps we can be more explicit, or better explain, such as is > often done with RBLs in mail server settings, where lists are sometimes > described in terms of their likelihood to cause false-positives. >>>>> >>>>> It's all well and good in the documentation, but a quick > "Safe|Moderate|Risky" listing in the WUI will prove handy, IMHO. >>>>> >>>>> Just my $0.02 as more of a user than a developer, >>>> >>>> I appreciate your input, but I still disagree with is that we take > the decision if something is “risky” or not. There are too many things > that need to be taken into account to make that decision and it probably > varies for each user. >>>> >>>> What I take from your comment though is that we should categorise > the lists, and that is something we can do. >>>> >>>> We can add a headline to the table and group the lists by “Blocking > ambiguous packets”, “Blocking Malware”, etc. >>>> >>>> That makes it easier for the user to decide which lists are > interesting or even necessary depending on what they want to achieve. >>>> >>>> How is that? >>>> >>>> -Michael >>>> >>>>> >>>>> Tom