01-26-2018 05:52 AM
The Knowledge article on blocking TOR, https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Block-Tor-The-Onion-Router/ta-p/177648, references a list on panwdbl.appspot.com. This website has a number of lists that can be used to filter traffic, including the list of TOR exit nodes.
What process is used to ensure these lists are accurate? It would be a major problem if, for example, 8.8.8.8 got added to the TOR list by accident or ill intent.
The TOR list is https://panwdbl.appspot.com/lists/ettor.txt
01-26-2018 06:38 AM
All of the EBLs listed on panwdbl.appspot.com are maintained by their respective publishers. For example the spamhaus DROP and EDROP are all maintained by the spamhaus project. panwdbl was started as a repository for customers to take advantage off, but it simply pulls the indicated lists and feeds them back out in a formate easier to use on a Palo Alto device, these lists are in no way maintained by Palo Alto.
01-26-2018 08:21 AM
I wouldn't expect Palo Alto to vet the lists. I guess the question is, "Is there any entity that double checks any of the lists for invalid entries?" Or, do we have to trust that the list producer got it right?
01-26-2018 08:27 AM
You have to trust that the list provider got it right.
An alternative to this would be to install MineMeld. MineMeld is able to mine these lists and merge them into a sole source that is added to your firewall as an External Dynamic List. The advantage here is that MineMeld has the ability to create whitelists that prevent certain addresses from ever showing up on this list, so if you wanted to make sure that 8.8.8.8 wasn't ever included in your EDL and will never be blocked.
01-26-2018 12:37 PM
Hello,
The ones from PAN are pretty good and I havent gotten burned by them in over 5 years. The one that burned me recently was https://www.abuseipdb.com/. There was an IP added to it that belonged to Digicert and messed up my users browsing badly. We decided to remove that EBL from our lists. I must say it was the first time in 5+ years of using that list. I did notify DigiCert about it but who knows where it went from there.
Here are the ones I currently use:
The two PAN ones - known malicious and High risk
http://panwdbl.appspot.com/lists/bruteforceblocker.txt
http://panwdbl.appspot.com/lists/dshieldbl.txt
http://panwdbl.appspot.com/lists/etcompromised.txt
http://panwdbl.appspot.com/lists/ettor.txt
http://panwdbl.appspot.com/lists/mdl.txt
http://panwdbl.appspot.com/lists/openbl.txt
http://panwdbl.appspot.com/lists/sslabuseiplist.txt
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
http://panwdbl.appspot.com/lists/zeustrackerbadips.txt
Like @BPry mentioned, you could have your own and use MindMeld to host it.
Cheers!
06-20-2018 03:13 PM
Any other recommend list?
06-20-2018 03:39 PM
anyone use ransomwaretracker.abuse.ch
06-20-2018 07:44 PM
I do not. However there is going to be a lot of overlap with what PAN has in their code that we cannot see.
06-21-2018 10:25 AM
That's where and why I highly recommend MineMeld if you aren't simply using the built in EDL lists. This ensures that you aren't doubling up indicators and allows you to whitelist any indicator that you for sure don't want to be utilized even if it happens to exist in one of the EDLs you are pulling.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
