Hi,
Having decided that we'll categorise the lists, the question is what categories to use. They need to be:
- Short (to fit on the screen) - Easily translatable - and above all, useful.
Looking at the lists the obvious categories are:
- Invalid Address (on the public internet) BOGON, BOGON_FULL
- Scanner (not by itself malicious) SHODAN
- Application (potentially unwanted) TOR_ALL, TOR_EXIT
- Malware C & C FEODO_RECOMMENDED, FEODO_IP, FEODO_AGGRESIVE
- Composite EMERGING_FWRULE
Less obvious are:
- Reputation ALIENVAULT, CIARMY, SPAMHAUS_DROP, SPAMHAUS_EDROP
- Attacks BLOCKLIST_DE, DSHIELD, EMERGING_COMPROMISED
I'm not sure that the distinction between these two is going to be helpful to most people (I'm not sure I understand it myself).
We could use:
- Top attackers DSHIELD, EMERGING_COMPROMISED, SPAMHAUS_DROP, SPAMHAUS_EDROP
- Other attackers ALIENVAULT, BLOCKLIST_DE, CIARMY
but that might be making a distinction that is better made by the user.
Any opinions?
Tim
On 18/12/2019 12:10, Michael Tremer wrote:
Hi,
On 16 Dec 2019, at 23:05, Tom Rymes trymes@rymes.com wrote:
On 12/16/2019 5:20 PM, Michael Tremer wrote:> Hi,
On 16 Dec 2019, at 20:06, Tim FitzGeorge lists@tfitzgeorge.me.uk wrote:
Hi,
I've attached the current GUI screenshot.
Thanks for that.
I have a couple of suggestions/concerns about it:
[snip]
c) I would suggest to remove the “safe” column because that is a very hard summary of what the lists do. We should explain that on the wiki. I guess this is too complicated to explain to our users in one sentence and it needs at least a page of text. People who do not read that have you just lost out.
[snip]
May I opine that the "Safe" information would be helpful to me in the WUI. Perhaps we can be more explicit, or better explain, such as is often done with RBLs in mail server settings, where lists are sometimes described in terms of their likelihood to cause false-positives.
It's all well and good in the documentation, but a quick "Safe|Moderate|Risky" listing in the WUI will prove handy, IMHO.
Just my $0.02 as more of a user than a developer,
I appreciate your input, but I still disagree with is that we take the decision if something is “risky” or not. There are too many things that need to be taken into account to make that decision and it probably varies for each user.
What I take from your comment though is that we should categorise the lists, and that is something we can do.
We can add a headline to the table and group the lists by “Blocking ambiguous packets”, “Blocking Malware”, etc.
That makes it easier for the user to decide which lists are interesting or even necessary depending on what they want to achieve.
How is that?
-Michael
Tom