Quote:
Originally Posted by rs232
(..) the public IP black lists are provided in the format sIP-dIP.
|
First of all I view any lists as no more than "mildly helpful" as there are a few concerns with lists in general that (should) raise questions. Especially with aggregates there often is no way to way to find out more about origin quality in terms of disparate sensor platforms, sensor accuracy and scope, timeliness, aggregation (software!) errors, et cetera. For example scan reports are the product of a highly temporal focus on IP ranges, ports and applications. So while security should be thought of as multi-layered and continuously changing, the local "meaning" of a list is defined by its neighbourhood, network security posture, machine security footprint and actual application use. So if you're in APAC it doesn't make sense to use US-centric lists, if you're not running for example publicly accessible MongoDB, Elastic Search or IIS then results "polluted" by related Snort signatures will only result in (N)IDS, SIEM or firewall performance degradation and if you're using proxy or TOR exit node lists then you're SOL anyway as those change constantly.
Quote:
Originally Posted by rs232
This involves a painful (in terms of CPU time) conversion from ranges into subnets
|
Script something using PERLs Net::CIDR or Pythons netaddr or cidrize?
Quote:
Originally Posted by rs232
and an exceptional treatment for individual IPs. (..) unless I'm missing something it doesn't seem to add much value to what I'm after.
|
If "exceptional treatment" != punching holes then it depends on your definition / explanation of things.