Administrative (non-technical) Question

[Acewiza]

Does anybody know why when from time-to-time I lookup an IP listed in an Onion alert like "ET 3CORESec Poor Reputation IP group 13," ISC shows no reports? How's a bad reputation not have any reports? What's the skinny on Threatstop, Internet Storm Center, whatever bad IP databases? Wondering if my block list is an exercise in time-wasting futility these days. How does Security Onion reflect on or interface with the known bad actor IPs for rule purposes? Is anybody seeing something similar?

I'm guessing it just takes longer for things to timeout with Onion updates.

Sorry for all the numerous related questions. ;-)

[dougburks]

Here's the rule that generated that alert:

alert ip [178.62.49.60,178.62.79.173,178.62.97.236,178.87.222.192,179.127.181.235,179.225.144.231,179.27.60.34,179.32.44.155,179.43.163.124,179.43.163.58,179.43.175.204,179.43.80.6,179.60.147.99,179.60.150.118,18.163.114.198,18.224.149.50,180.102.218.28,180.109.166.150,180.151.231.234,180.167.214.190,180.180.123.207,180.180.123.227,180.20.19.84,180.241.194.48,180.250.196.141,180.250.247.45,180.4.161.151,180.5.71.117,180.65.240.162,180.88.96.52,181.112.155.140,181.114.57.214,181.115.145.34,181.115.156.59,181.115.186.36,181.129.14.218,181.143.10.148,181.174.91.162,181.40.66.232,181.47.172.245,182.119.255.223,182.150.22.222,182.200.172.11,182.208.21.162,182.253.113.140,182.43.171.32,182.59.139.27,182.61.147.186,182.66.79.118,182.75.216.74] any -> $HOME_NET any (msg:"ET 3CORESec Poor Reputation IP group 13"; reference:url,blacklist.3coresec.net/lists/et-open.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2525012; rev:593; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag 3CORESec, signature_severity Major, created_at 2020_07_20, updated_at 2022_10_27;)

This is a rule in the Emerging Threats ruleset that comes from reputation data provided by a separate organization called 3CORESec. When this rule fires, it just means that the IP address is in the group of IP addresses listed above that 3CORESec considers to be Poor Reputation. That doesn't necessarily mean that ISC or any other databases have the same intel, context, or reputation for that IP address.

[Acewiza]

Looks like there's dozens of threat reporting databases out there, many new since last time I checked. It appears a high level review of my alert handling process is called for.

https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/

[Acewiza]

Some of these threat feeds cannot even agree on what country an IP is located in. Stuff's getting to be a real crapshoot.

http://stuff.is-a-geek.net/OnlineDocs/IT/Threatfeeds.html