topic Re: Who vets External Dynamic Lists (EDLs) in General Topics

Who vets External Dynamic Lists (EDLs)

LCMember1643 — Fri, 26 Jan 2018 13:52:28 GMT

The Knowledge article on blocking TOR, https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Block-Tor-The-Onion-Router/ta-p/177648, references a list on panwdbl.appspot.com. This website has a number of lists that can be used to filter traffic, including the list of TOR exit nodes.

What process is used to ensure these lists are accurate? It would be a major problem if, for example, 8.8.8.8 got added to the TOR list by accident or ill intent.

The TOR list is https://panwdbl.appspot.com/lists/ettor.txt

Re: Who vets External Dynamic Lists (EDLs)

BPry — Fri, 26 Jan 2018 14:38:33 GMT

@LCMember1643,

All of the EBLs listed on panwdbl.appspot.com are maintained by their respective publishers. For example the spamhaus DROP and EDROP are all maintained by the spamhaus project. panwdbl was started as a repository for customers to take advantage off, but it simply pulls the indicated lists and feeds them back out in a formate easier to use on a Palo Alto device, these lists are in no way maintained by Palo Alto.

Re: Who vets External Dynamic Lists (EDLs)

LCMember1643 — Fri, 26 Jan 2018 16:21:49 GMT

I wouldn't expect Palo Alto to vet the lists. I guess the question is, "Is there any entity that double checks any of the lists for invalid entries?" Or, do we have to trust that the list producer got it right?

Re: Who vets External Dynamic Lists (EDLs)

BPry — Fri, 26 Jan 2018 16:27:18 GMT

@LCMember1643,

You have to trust that the list provider got it right.

An alternative to this would be to install MineMeld. MineMeld is able to mine these lists and merge them into a sole source that is added to your firewall as an External Dynamic List. The advantage here is that MineMeld has the ability to create whitelists that prevent certain addresses from ever showing up on this list, so if you wanted to make sure that 8.8.8.8 wasn't ever included in your EDL and will never be blocked.

Re: Who vets External Dynamic Lists (EDLs)

OtakarKlier — Fri, 26 Jan 2018 20:37:31 GMT

Hello,

The ones from PAN are pretty good and I havent gotten burned by them in over 5 years. The one that burned me recently was https://www.abuseipdb.com/. There was an IP added to it that belonged to Digicert and messed up my users browsing badly. We decided to remove that EBL from our lists. I must say it was the first time in 5+ years of using that list. I did notify DigiCert about it but who knows where it went from there.

Here are the ones I currently use:

The two PAN ones - known malicious and High risk

http://panwdbl.appspot.com/lists/bruteforceblocker.txt

http://panwdbl.appspot.com/lists/dshieldbl.txt

http://panwdbl.appspot.com/lists/etcompromised.txt

http://panwdbl.appspot.com/lists/ettor.txt

http://panwdbl.appspot.com/lists/mdl.txt

http://panwdbl.appspot.com/lists/openbl.txt

http://panwdbl.appspot.com/lists/sslabuseiplist.txt

http://www.spamhaus.org/drop/drop.txt

http://www.spamhaus.org/drop/edrop.txt

http://panwdbl.appspot.com/lists/zeustrackerbadips.txt

Like @BPry mentioned, you could have your own and use MindMeld to host it.

Cheers!

Re: Who vets External Dynamic Lists (EDLs)

junior_r — Wed, 20 Jun 2018 22:13:55 GMT

Any other recommend list?

Re: Who vets External Dynamic Lists (EDLs)

junior_r — Wed, 20 Jun 2018 22:39:22 GMT

anyone use ransomwaretracker.abuse.ch

Re: Who vets External Dynamic Lists (EDLs)

OtakarKlier — Thu, 21 Jun 2018 02:44:07 GMT

I do not. However there is going to be a lot of overlap with what PAN has in their code that we cannot see.

Re: Who vets External Dynamic Lists (EDLs)

BPry — Thu, 21 Jun 2018 17:25:58 GMT

@OtakarKlier,

That's where and why I highly recommend MineMeld if you aren't simply using the built in EDL lists. This ensures that you aren't doubling up indicators and allows you to whitelist any indicator that you for sure don't want to be utilized even if it happens to exist in one of the EDLs you are pulling.