Topic
  • 17 replies
  • Latest Post - ‏2013-11-06T15:54:44Z by Uhaba
SystemAdmin
SystemAdmin
276 Posts

Pinned topic Bot_Control, Targeted ports, Bogon IP's, Hostile Nets, etc - Where does QRadar get these address lists?

‏2010-11-10T20:50:09Z |
Over the last while, more users have asked us where we populate our remote network lists from, for the Bogon, Botnets, Hostile Networks & Top Targeted ports. These configuration sets are pushed out via the Autoupdate process, and are used by the "Remote Networks" view. Below is the list of where we get this information from.
Top Targeted Ports: D-Shield
http://www.dshield.org

Botnets: Emerging threats.
http://rules.emergingthreats.net/blockrules/emerging-botcc.rules

They collaborate their information with a couple of sites, http://www.shadowserver.org and http://www.honeynet.cz

Bogon IPs:
http://www.cymru.com/Documents/bogon-bn-nonagg.txt

Hostile Nets:
http://www.dshield.org/ipsascii.html?limit=20

Smurf:
http://www.powertech.no/smurf/list.cgi?format=dense
If any users have other suggestions, we can forward them onto the security group that collects and uses this data to create these groups, for -possible- inclusion in the remote networks view.

dwight s.
-------Posted BY dwight (q1)
Updated on 2013-03-06T21:31:41Z at 2013-03-06T21:31:41Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: I would suggest extending

    ‏2010-11-14T04:39:20Z  
    I would suggest extending beyond just IP addresses and start pulling data from the following sources as well for domains/IPs:

    http://amada.abuse.ch/blocklist.php
    https://spyeyetracker.abuse.ch/blocklist.php
    https://zeustracker.abuse.ch/blocklist.php
    http://www.malwaredomains.com/files/domains.txt
    Those would be and excellent start to check proxy logs, URLs in Firewall logs, etc. If QRadar could use this to check 'HOST:' entries in flows as well, this would be great.
    --JD


    Posted By Guest
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: Any Changes?

    ‏2011-03-14T16:27:48Z  
    This is over 2 1/2 years ago. I'm assuming that there have been some changes...
    Posted By Guest
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: These are current

    ‏2011-03-15T21:32:10Z  
    Hi lisham ..

    I checked with the team, and those are current.

    dwight
    Posted By dwight (q1)
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: malwaredomains.com

    ‏2011-04-18T20:59:14Z  
    Hello,

    How would I create a list of known evil (i.e. malwaredomains) that is updated daily?

    Thanks,

    John
    Posted By John Mcleod
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: Bogon list includes 127.0.0.1 resulting in many false positives

    ‏2011-08-22T15:31:24Z  
    We're getting MANY "Suspicious Activity - Event CRE" events created with the source IP of our Q1 appliances and destination of 127.0.0.1, presumably because the Bogon List includes 127.0.0.0/8. I don't see an easy way to remove that network and I'm afraid that even if I remove it, it will get updated and added again. What's the best way to prevent this false-positive event from occuring?
    Posted By Mike Pilkington
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: John, I will need to check

    ‏2011-08-23T02:39:40Z  
    John, I will need to check with dev and product management on the roadmap, but I am pretty sure the malwaredomains are still listed in the weekly auto update at present time.
    Posted By Aaron.Breen
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: Mike, this could be a

    ‏2011-08-23T02:45:42Z  
    Mike, this could be a misconfiguration log source. You should contact support and we can walk through it
    Posted By Aaron.Breen
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: Update Interval.

    ‏2012-04-24T19:28:37Z  
    Hello,

    I have a couple of questions regarding these lists:

    Is it possible to update these lists separately from the other updates on the system?
    How often does QRadar update the main list against those databases online?
    Is there a script that could be use to add more list apart from the ones used currently?

    Thank you,


    Posted By Carlos Aguilera
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: These updates are part of the

    ‏2012-04-25T00:58:27Z  
    These updates are part of the "Configuration Updates", which include configuration file changes, vulnerability, QID map, and security threat information updates.

    They get updated once a week.

    You can add new lists in the Remote Networks on the admin tab. This GUI updates a text file in your config, remotenet.conf. Scripting changes to this file is possible, but I would suggest engaging Services to help you write an effective script. Maybe someone else has written one that they would like to share?
    Posted By Xavier Ashe
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: Reviewing the traffic to

    ‏2012-06-15T12:46:50Z  
    Reviewing the traffic to remote nets I came across a few items which I don't know how to resolve - like why multicast addresses are listed as Bogon IPs. The prior Q&A and other posts about remote networks leads me to conclude that if I don't want 224.0.0/24 showing as a bogon netork, my changes will be deleted at the next update. Am I missing something or are these sources overly broad?
    Posted By Sean @ MITRE
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: We see the same thing and

    ‏2012-11-08T15:53:07Z  
    We see the same thing and it's not misconfigured log sources. It's the Qradar system 99% of the time generating internal traffic on 127.0.0.0/8 ranges. The other problem is that multicast traffic IP ranges are part of the bogon IP list, which causes a similar problem.
    Posted By mrcantr
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: I have a script to add any source

    ‏2012-12-14T16:22:27Z  
    Xavier, I wrote a script that can add any input source. We are using this for "Seculert". I'll clean it up and post it here.
    Posted By Ventz Petkov
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: Auto update external feed still current?

    ‏2013-03-06T21:31:41Z  
    I am investigating integrating external feeds into QRadar. I did a search and found this post and the list on this link (https://qmmunity.q1labs.com/node/2831).
    1. Are these public feed still the current sources?
    2. Are the upgrade frequencies listed still valid?
    3. I understand where the information from remotenet.conf and geodata.conf is utilize and presented on the console. But where does the information from socialnet.list appear on the console or get utilized?

    4. Everything above relates to public feeds. I believe there is also a subscription feed from X-Force.
    a. Does anybody know what data is provided with the subscription feed?
    b. What is the frequency of the feed?
    c. How will the information be presented to me on the console or how will I utilize the data? Is it similar to the public feeds and the information get populated into "remote networks"


    Posted By Henry Li
  • PeterRasmussen
    PeterRasmussen
    1 Post

    Re: Bot_Control, Targeted ports, Bogon IP's, Hostile Nets, etc - Where does QRadar get these address lists?

    ‏2013-05-09T19:02:05Z  

    Would it be possible to up the limit  on Hostile IP from 20 to 100 or more ? 

  • dwight s (IBM)
    dwight s (IBM)
    4 Posts

    Re: Bot_Control, Targeted ports, Bogon IP's, Hostile Nets, etc - Where does QRadar get these address lists?

    ‏2013-05-13T15:01:38Z  

    Would it be possible to up the limit  on Hostile IP from 20 to 100 or more ? 

    Hi Peter ... 

    Where are you thinking about increasing this limit at?  I'll have to admit, I'm not sure where that limit is, that you're referring to.

    dwight s. 

  • harleyh
    harleyh
    1 Post

    Re: Bot_Control, Targeted ports, Bogon IP's, Hostile Nets, etc - Where does QRadar get these address lists?

    ‏2013-07-08T18:30:03Z  

    What's format is QRadar expecting? I'd like to be able to add custom/non-public feeds to a QRadar deployment. I found a Perl script (https://github.com/Harvard-ITSecurity/qradar-seculert-push) which can take feeds from Securelert but I'm not sure what all the output fields mean. Does anyone know how this works?

     

  • Uhaba
    Uhaba
    3 Posts

    Re: Bot_Control, Targeted ports, Bogon IP's, Hostile Nets, etc - Where does QRadar get these address lists?

    ‏2013-11-06T15:54:44Z  

    Just to add to the questions above, is there a way to bulk import IPs into this list? I'm guessing under IBM, these fields only get pre-populated with an X-FORCE feed license?