Who vets External Dynamic Lists (EDLs)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who vets External Dynamic Lists (EDLs)

L1 Bithead

The Knowledge article on blocking TOR, https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Block-Tor-The-Onion-Router/ta-p/177648, references a list on panwdbl.appspot.com. This website has a number of lists that can be used to filter traffic, including the list of TOR exit nodes. 

 

What process is used to ensure these lists are accurate? It would be a major problem if, for example, 8.8.8.8 got added to the TOR list by accident or ill intent.

 

The TOR list is https://panwdbl.appspot.com/lists/ettor.txt 

 

8 REPLIES 8

Cyber Elite
Cyber Elite

@LCMember1643,

All of the EBLs listed on panwdbl.appspot.com are maintained by their respective publishers. For example the spamhaus DROP and EDROP are all maintained by the spamhaus project. panwdbl was started as a repository for customers to take advantage off, but it simply pulls the indicated lists and feeds them back out in a formate easier to use on a Palo Alto device, these lists are in no way maintained by Palo Alto. 

L1 Bithead

I wouldn't expect Palo Alto to vet the lists. I guess the question is, "Is there any entity that double checks any of the lists for invalid entries?" Or, do we have to trust that the list producer got it right?

@LCMember1643,

You have to trust that the list provider got it right. 

An alternative to this would be to install MineMeld. MineMeld is able to mine these lists and merge them into a sole source that is added to your firewall as an External Dynamic List. The advantage here is that MineMeld has the ability to create whitelists that prevent certain addresses from ever showing up on this list, so if you wanted to make sure that 8.8.8.8 wasn't ever included in your EDL and will never be blocked. 

Hello,

The ones from PAN are pretty good and I havent gotten burned by them in over 5 years. The one that burned me recently was https://www.abuseipdb.com/. There was an IP added to it that belonged to Digicert and messed up my users browsing badly. We decided to remove that EBL from our lists. I must say it was the first time in 5+ years of using that list. I did notify DigiCert about it but who knows where it went from there.

 

Here are the ones I currently use:

 

The two PAN ones - known malicious and High risk

http://panwdbl.appspot.com/lists/bruteforceblocker.txt

http://panwdbl.appspot.com/lists/dshieldbl.txt

http://panwdbl.appspot.com/lists/etcompromised.txt

http://panwdbl.appspot.com/lists/ettor.txt

http://panwdbl.appspot.com/lists/mdl.txt

http://panwdbl.appspot.com/lists/openbl.txt

http://panwdbl.appspot.com/lists/sslabuseiplist.txt

http://www.spamhaus.org/drop/drop.txt

http://www.spamhaus.org/drop/edrop.txt

http://panwdbl.appspot.com/lists/zeustrackerbadips.txt

 

Like @BPry mentioned, you could have your own and use MindMeld to host it.

 

Cheers!

Any other recommend list?

anyone use ransomwaretracker.abuse.ch

I do not. However there is going to be a lot of overlap with what PAN has in their code that we cannot see.

@OtakarKlier,

That's where and why I highly recommend MineMeld if you aren't simply using the built in EDL lists. This ensures that you aren't doubling up indicators and allows you to whitelist any indicator that you for sure don't want to be utilized even if it happens to exist in one of the EDLs you are pulling. 

  • 6511 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!