I mentioned previously about using a local IP reputation database for help when doing packet analysis. It's handy to have to lookup the reputation of a source or destination IP address, especially if your database contains reputation data from various sources. Last night I decided to use that data in a blacklist with snort's reputation preprocessor. Today I'm going to remove that blacklist and I'll tell you why.
I was so ensnared by the idea of having a blacklist to block traffic to sites with bad reputations, that I forgot one fundamental aspect...the fact that many sites share the same IP address. An example that I can think of would be shared hosting, where something like Apache virtualhosts are used. In this scenario, each website might share a single public IP address.
This means that if one of those sites is hosting malware files that you can download, then the reputation for the single public IP address will be bad, even if the other sites that are hosted on that IP address are clean and not hosting any malware or other baddies.
Because I didn't want to block traffic to legitimate sites, I turned on the preprocessor and enabled the requisite GID 136 rules to alert only and to not actually stop any of the traffic.
After a while, I had thousands of alerts. Spot checking many of the alerts, I noticed that they did not appear to have any untoward content. I looked them up on clean-mx.de and realized that it was other sites hosted on those IP addresses that contained malicious content, not the ones that were being visited from my network.
If I had chosen to drop or block that traffic, then I would have stopped communications with legitimate sites that just so happen to be hosted on the same IP as a malicious site.
If you're extremely security conscious and do not want to have any affiliations with malicious sites, then maybe you would want to block traffic to any IP's having any type of malicious content. However, I don't think it is fair to punish other websites because they chose the wrong hosting provider, or simply got stuck on the same IP address as a site hosting malware.
No comments:
Post a Comment