Re: [PATCH 0/5] ipblacklist: IP Address Blacklists

[Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>]

[-- Attachment #1: Type: text/plain, Size: 2988 bytes --]

Hi,

Having decided that we'll categorise the lists, the question is what
categories to use.  They need to be:

- Short (to fit on the screen)
- Easily translatable
- and above all, useful.

Looking at the lists the obvious categories are:

- Invalid Address (on the public internet)
	BOGON, BOGON_FULL

- Scanner (not by itself malicious)
	SHODAN

- Application (potentially unwanted)
	TOR_ALL, TOR_EXIT

- Malware C & C
	FEODO_RECOMMENDED, FEODO_IP, FEODO_AGGRESIVE

- Composite
	EMERGING_FWRULE

Less obvious are:

- Reputation
	ALIENVAULT, CIARMY, SPAMHAUS_DROP, SPAMHAUS_EDROP

- Attacks
	BLOCKLIST_DE, DSHIELD, EMERGING_COMPROMISED

I'm not sure that the distinction between these two is going to be
helpful to most people (I'm not sure I understand it myself).

We could use:

- Top attackers
	DSHIELD, EMERGING_COMPROMISED, SPAMHAUS_DROP, SPAMHAUS_EDROP

- Other attackers
	ALIENVAULT, BLOCKLIST_DE, CIARMY

but that might be making a distinction that is better made by the user.

Any opinions?

Tim


On 18/12/2019 12:10, Michael Tremer wrote:
> Hi,
> 
>> On 16 Dec 2019, at 23:05, Tom Rymes <trymes(a)rymes.com> wrote:
>>
>> On 12/16/2019 5:20 PM, Michael Tremer wrote:> Hi,
>>>
>>>> On 16 Dec 2019, at 20:06, Tim FitzGeorge <lists(a)tfitzgeorge.me.uk> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I've attached the current GUI screenshot.
>>>
>>> Thanks for that.
>>>
>>> I have a couple of suggestions/concerns about it:
>>
>> [snip]
>>
>>> c) I would suggest to remove the “safe” column because that is a very hard summary of what the lists do. We should explain that on the wiki. I guess this is too complicated to explain to our users in one sentence and it needs at least a page of text. People who do not read that have you just lost out.
>>
>> [snip]
>>
>> May I opine that the "Safe" information would be helpful to me in the WUI. Perhaps we can be more explicit, or better explain, such as is often done with RBLs in mail server settings, where lists are sometimes described in terms of their likelihood to cause false-positives.
>>
>> It's all well and good in the documentation, but a quick "Safe|Moderate|Risky" listing in the WUI will prove handy, IMHO.
>>
>> Just my $0.02 as more of a user than a developer,
> 
> I appreciate your input, but I still disagree with is that we take the decision if something is “risky” or not. There are too many things that need to be taken into account to make that decision and it probably varies for each user.
> 
> What I take from your comment though is that we should categorise the lists, and that is something we can do.
> 
> We can add a headline to the table and group the lists by “Blocking ambiguous packets”, “Blocking Malware”, etc.
> 
> That makes it easier for the user to decide which lists are interesting or even necessary depending on what they want to achieve.
> 
> How is that?
> 
> -Michael
> 
>>
>> Tom
>