From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 0/5] ipblacklist: IP Address Blacklists Date: Mon, 06 Jan 2020 11:21:19 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2687429315885220529==" List-Id: --===============2687429315885220529== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Tim, > On 28 Dec 2019, at 21:17, Tim FitzGeorge wrote: >=20 > Hi, >=20 > Having decided that we'll categorise the lists, the question is what > categories to use. They need to be: >=20 > - Short (to fit on the screen) > - Easily translatable > - and above all, useful. >=20 > Looking at the lists the obvious categories are: >=20 > - Invalid Address (on the public internet) > BOGON, BOGON_FULL >=20 > - Scanner (not by itself malicious) > SHODAN >=20 > - Application (potentially unwanted) > TOR_ALL, TOR_EXIT >=20 > - Malware C & C > FEODO_RECOMMENDED, FEODO_IP, FEODO_AGGRESIVE >=20 > - Composite > EMERGING_FWRULE I like all these a lot. > Less obvious are: >=20 > - Reputation > ALIENVAULT, CIARMY, SPAMHAUS_DROP, SPAMHAUS_EDROP >=20 > - Attacks > BLOCKLIST_DE, DSHIELD, EMERGING_COMPROMISED I even like those two, although I would potentially consider merging =E2=80= =9CInvalid Address=E2=80=9D and Reputation. They are kind of the same to me. = IP addresses I under no circumstances I want to talk to. I also like the Attacks category, although the name is very generic. But I ca= nnot come up with anything better. The only thing that might be worth conside= ring is to merge it with Malware and just call it =E2=80=9CMalicious=E2=80=9D. > I'm not sure that the distinction between these two is going to be > helpful to most people (I'm not sure I understand it myself). >=20 > We could use: >=20 > - Top attackers > DSHIELD, EMERGING_COMPROMISED, SPAMHAUS_DROP, SPAMHAUS_EDROP >=20 > - Other attackers > ALIENVAULT, BLOCKLIST_DE, CIARMY >=20 > but that might be making a distinction that is better made by the user. Agreed. It is not obvious why some are top attackers and others are not. So I would 100% prefer the first option from above. Best, -Michael >=20 > Any opinions? >=20 > Tim >=20 >=20 > On 18/12/2019 12:10, Michael Tremer wrote: >> Hi, >>=20 >>> On 16 Dec 2019, at 23:05, Tom Rymes wrote: >>>=20 >>> On 12/16/2019 5:20 PM, Michael Tremer wrote:> Hi, >>>>=20 >>>>> On 16 Dec 2019, at 20:06, Tim FitzGeorge wr= ote: >>>>>=20 >>>>> Hi, >>>>>=20 >>>>> I've attached the current GUI screenshot. >>>>=20 >>>> Thanks for that. >>>>=20 >>>> I have a couple of suggestions/concerns about it: >>>=20 >>> [snip] >>>=20 >>>> c) I would suggest to remove the =E2=80=9Csafe=E2=80=9D column because t= hat is a very hard summary of what the lists do. We should explain that on th= e wiki. I guess this is too complicated to explain to our users in one senten= ce and it needs at least a page of text. People who do not read that have you= just lost out. >>>=20 >>> [snip] >>>=20 >>> May I opine that the "Safe" information would be helpful to me in the WUI= . Perhaps we can be more explicit, or better explain, such as is often done w= ith RBLs in mail server settings, where lists are sometimes described in term= s of their likelihood to cause false-positives. >>>=20 >>> It's all well and good in the documentation, but a quick "Safe|Moderate|R= isky" listing in the WUI will prove handy, IMHO. >>>=20 >>> Just my $0.02 as more of a user than a developer, >>=20 >> I appreciate your input, but I still disagree with is that we take the dec= ision if something is =E2=80=9Crisky=E2=80=9D or not. There are too many thin= gs that need to be taken into account to make that decision and it probably v= aries for each user. >>=20 >> What I take from your comment though is that we should categorise the list= s, and that is something we can do. >>=20 >> We can add a headline to the table and group the lists by =E2=80=9CBlockin= g ambiguous packets=E2=80=9D, =E2=80=9CBlocking Malware=E2=80=9D, etc. >>=20 >> That makes it easier for the user to decide which lists are interesting or= even necessary depending on what they want to achieve. >>=20 >> How is that? >>=20 >> -Michael >>=20 >>>=20 >>> Tom >>=20 >=20 --===============2687429315885220529==--