Blacklist... lists

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
Those of you using pfsense are probably familar with pfblocker and its ability to retrieve and keep up to date versions of text files with CIDR's to block. Lots of people probably use the lists over at https://www.iblocklist.com/lists.php

What I'm looking to know is if these blacklists produce something similar. Going to many of their websites they give instructions on how to configure them using postfix or spamassassin (which pfsense uses). However pfblocker is by far easier to use than postfix and spamassassin.

Do these lists exist? Am I just not looking in the right corners of the internet?
 

iroc409

[H]ard|Gawd
Joined
Jun 17, 2006
Messages
1,373
I don't know if this is what you're looking for, but Emerging Threats makes a blacklist for several products. Their ETPro ruleset competes/compliments the Snort VRT rule set, and the ETOpen rule set has pre-made files for several firewalls, including pf. I don't know if pfblocker will directly use them, but I can't see why not, since it's pf. You can just grab the new file daily off ET's website and use it as an include in your pf.conf.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
Looking at this thread on the pfsense forums it was suggested to not use the Snort rules that are utilizing the lists, but to rather use the equiviliant of pfblocker.

Snort pulls these lists and blocks them as well, but snort uses considerably more resources than pfblocker would. So I've copied the lists specified into pfblocker already.

https://forum.pfsense.org/index.php/topic,64674.0.html


The thread tells you which Categories are using these lists and to disable them. Then to configure pfblocker to use the lists instead.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
However, I'm also starting to enable SMTP/EMAIL/PHISHING/SPAM/MALWARE/VIRUS/TROJAN based categories that DO NOT use the http preprocessor. The HTTP Preprocessor creates an absurd about of false positives.

Unfortunately though some of the aforementioned categories have HTTP Preprocessor rules and its been quite tedious to disable individual rules, especially when some of these categories have 1000+ rules.

Text to CSV and sorting has been my friend over the last couple days. What it really comes down to is I would not like snort to filter by IP. Its not as efficient. Pfblocker will do it at a much reduced cost. Also the above lists have still enabled alot of spam to come through. Tracking the message back to the sender they almost are always on a black list. If i coudl jsut get the text to those black lists.....
 
Top