Blacklists and other Internet resources – please share your favourites

Last month I had promised some commenters and readers I would publish some of my blacklists when I got home. In my defence I’m still not home but I organised some of my blacklists and other resources anyway. The list published below is a small collection from people I have met (CL merci) who have shared their lists with me. Chris’ list is not a comprehensive list but a good starter point for organising with examples. The document can be easily changed around for you or your organisation.

The list can be a basis for scraping data into ArcSight via a Flex Connector to update suspect or blacklists (active lists, metrics for reports, trends. They can also be used for built-in tools for ArcSight or similar with a small amount of scripting. ArcSight has a built in Who Is search tool, using similar parameters you can build a Google Safe Search Diagnostics too based on IP or Domain or perhaps search Virus Total. The information can also be added to intelligent web proxy servers. This is ideal since about 80% of traffic now goes over web HTTP/HTTPS. Web proxy servers are a major egress point in the perimeter.

This type of list can be helpful in operations when analysts need to find, use and reference resources quickly. The list can be used to build a department favourites list/internet based tools list. Also, many times information security websites will be marked and filtered by web proxy servers or anti-virus software. For example, I spoke at the 28C3 CCC last year and my anti-virus was Comodo on my laptop. The anti-virus software blocked the 28C3 CCC and affiliated Chaos Computer Club websites even after I disabled the DNS feature, physically pointed my DNS elsewhere and examined my hosts file. I had to reinstall a fresh OS to access the Chaos Computer Club websites. This type of list can be used to add exclusions to anti-virus or filters as legitimate resources for the security team or other similar departments.

Screenshot of example form below.

Chris’ Internet resource list

SHA256: a411c88cd1c5b02fa0a7a95a9c26e5335b15e73db94f8f16edeaf1c251de2e4f

Blank Internet resource list

MD5: 46553f361006335927aa12849b83464c

SHA-1: 51a26581dccc50eede954b82736799fb7ad6b3a5

SHA256: 24dc6625118799bfa7041ef72d3542f883b73d620afbd6a7ab673643be34a7dc

If you need this form in a different format please ask and I will try to accommodate for Open Office.

Please add to the form and comment. My list is Europe and North American centric, we would love other regional lists. Any other associated information is welcome.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: