J, Did you intend to provide the script for others to use and add data, or just the data you collected so far? Regards, Oren On Wed, Oct 23, 2013 at 8:04 AM, J. Oquendo <sil at infiltrated.net> wrote:
On Tue, 22 Oct 2013, Jay Hennigan wrote:
On 10/22/13 6:57 AM, J. Oquendo wrote:
Going to cross post this to the list (I know some of us criss-cross lists). Reasoning, a lot of IP PBXs have web based interfaces, and some need to be on the public Internet.
Cobbled together a script to scrape my logs, parse out web based attackers (SQLi, XSS, CSRF, etc) and compile said list for blacklisting. Script is pulling from 6 different web servers for now. I may add more later depending on whether or not I see a lot of usage.
Thanks. I personally would like to see it as solely raw IP addresses rather than a mix of IPs and PTRs. The PTRs may not match forward DNS, particularly if a bad guy has control of rDNS.
I changed it up, but will leave existing domains on there. I thought about this (domains vs. IPs) in the sense that, filtering (WAF) often tends to rely on domains. Then I thought about matching domains to IPs on that instance but it wouldn't have been cumbersome considering anyone can edit /etc/hosts or c:\windows\system32\etc\drivers\hosts so I left it alone. As of about 20 minutes of the original post, I re-configured Apache to stop hostname lookups.
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops