Re: [PATCH 1/3] sources: Removal of ALIENVAULT and SPAMHAUS_EDROP from ipblocklist sources

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5742 bytes --]

Hi Rob,

On 20/04/2024 10:24, Rob Brewer wrote:
> On Fri, 19 Apr 2024 15:39:39 +0200, Adolf Belka wrote:
>
>> - ALIENVAULT has not been updated since at least Nov 2022 but probably
>> earlier. There is no
>>     date for the file to be downloaded but a forum user has log messages
>>     from Nov 2022 that indicate the file had not changed as therefore no
>>     download occurred.
>> - AT&T aquired AlienVault in August 2018. Somewhere between 2018 and
>> 2022 the list stopped
>>     getting updated. AlienVault references on the AT&T website are now
>>     for a different product.
>> - Discussed in IPFire conf call of April 2024 and agreed to remove the
>> ALIENVAULT
>>     blocklist.
>> - On Apr 10th the Spamhaus eDROP list was merged with the Spamhaus DROP
>> list. The eDROP
>>     list is still available but is now empty. Trying to select the
>>     SPAMHAUS_EDROP list gives an error message that the blocklist was
>>     found to be empty.
>> - This patch removes both the ALIENVAULT and the SPAMHAUS_EDROP lists
>> from the ipblocklist
>>     sources file.
>>
>> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>>   config/ipblocklist/sources | 12 ------------
>>   1 file changed, 12 deletions(-)
>>
>> diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources
>> index be0cf0229..0835c0f9c 100644 --- a/config/ipblocklist/sources +++
>> b/config/ipblocklist/sources @@ -55,12 +55,6 @@ our %sources = (
>> 'EMERGING_FWRULE' => { 'name'     => 'Emerging Threats Blocklis
>>                                       'parser'   => 'ip-or-net-list',
>>                                       'rate'     => '12h',
>>                                       'category' => 'reputation' },
>> -             'SPAMHAUS_EDROP'  => { 'name'     => "Spamhaus Extended
>> Don't Route or Peer List",
>> -                                    'url'      =>
>> 'https://www.spamhaus.org/drop/edrop.txt',
>> -                                    'info'     =>
>> 'https://www.spamhaus.org/drop/',
>> -                                    'parser'   => 'ip-or-net-list',
>> -                                    'rate'     => '1h',
>> -                                    'category' => 'reputation' },
>>                'DSHIELD'         => { 'name'     => 'Dshield.org
>>                Recommended Block List',
>>                                       'url'      =>
>>                                       'https://www.dshield.org/
> block.txt',
>>                                       'info'     =>
>>                                       'https://dshield.org/',
>> @@ -106,12 +100,6 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name'
>> => 'Emerging Threats Blocklis
>>                                       'parser'   => 'ip-or-net-list',,
>>                                       'rate'     => '1h',
>>                                       'category' => 'application' },
>> -             'ALIENVAULT'      => { 'name'     => 'AlienVault IP
>> Reputation database',
>> -                                    'url'      =>
>> 'https://reputation.alienvault.com/reputation.generic',
>> -                                    'info'     =>
>> 'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-
> reputation',
>> -                                    'parser'   => 'ip-or-net-list',
>> -                                    'rate'     => '1h',
>> -                                    'category' => 'reputation' },
>>                'BOGON'           => { 'name'     => 'Bogus address list
>>                (Martian)',
>>                                       'url'      =>
>>                                       'https://www.team-cymru.org/
> Services/Bogons/bogon-bn-agg.txt',
>
>
> It would appear that SPAMHAUS_EDROP has been merged into SPAMHAUS_DROP
> list.
That is correct. That is what I put in the commit message.

Spamhaus have the following page about the change.

https://www.spamhaus.org/resource-hub/network-security/spamhaus-drop-and-edrop-to-become-a-single-list/#what-are-the-spamhaus-drop-lists

> "; This list has been merged into https://www.spamhaus.org/drop/drop.txt
> ; Spamhaus EDROP List 2024/04/19 - (c) 2024 The Spamhaus Project
> ; https://www.spamhaus.org/drop/edrop.txt
> ; Last-Modified: Fri, 19 Apr 2024 13:49:21 GMT
> ; Expires: Sat, 20 Apr 2024 13:49:21 GMT
> ; EOF
>
> I think it would be better to change the URL in the sources list from:
>
> https://www.spamhaus.org/drop/edrop.txt
>
> to
>
> https://www.spamhaus.org/drop/drop.txt
>
>
> Rather than just remove the list from the sources file.
I don't really understand your suggestion here. The EDROP list has gone. 
The old URL is still there but with an empty file except for the message.

The Spamhaus Drop list is now the equivalent of what used to be the 
Spamhaus eDrop list.

Having two entries, one called DROP and one EDROP both pointing to the 
same list seems pointless to me and potentially confusing for users as 
they might think they get something different from the two and if they 
select both they will get two sets of exactly the same IP's.

What I can do is to make a modification to the script I added to the 
update.sh file to check if SPAMHAUS_EDROP=on is set in the settings file 
and then add
SPAMHAUS_DROP=on to the settings file if it is not set, before removing 
the references to SPAMHAUS_EDROP.

Regards,

Adolf.

>
> Rob Brewer
>
>
>>                                       'info'     =>
>>                                       'https://www.team-cymru.com/bogon-
> reference',
>

-- 
Sent from my laptop