Pinned topic Bot_Control, Targeted ports, Bogon IP's, Hostile Nets, etc - Where does QRadar get these address lists?
Top Targeted Ports: D-Shield
Botnets: Emerging threats.
They collaborate their information with a couple of sites, http://www.shadowserver.org and http://www.honeynet.cz
If any users have other suggestions, we can forward them onto the security group that collects and uses this data to create these groups, for -possible- inclusion in the remote networks view.
-------Posted BY dwight (q1)
Re: I would suggest extending2010-11-14T04:39:20ZThis is the accepted answer. This is the accepted answer.I would suggest extending beyond just IP addresses and start pulling data from the following sources as well for domains/IPs:
Those would be and excellent start to check proxy logs, URLs in Firewall logs, etc. If QRadar could use this to check 'HOST:' entries in flows as well, this would be great.
Posted By Guest
Re: Bogon list includes 127.0.0.1 resulting in many false positives2011-08-22T15:31:24ZThis is the accepted answer. This is the accepted answer.We're getting MANY "Suspicious Activity - Event CRE" events created with the source IP of our Q1 appliances and destination of 127.0.0.1, presumably because the Bogon List includes 127.0.0.0/8. I don't see an easy way to remove that network and I'm afraid that even if I remove it, it will get updated and added again. What's the best way to prevent this false-positive event from occuring?
Posted By Mike Pilkington
Re: John, I will need to check2011-08-23T02:39:40ZThis is the accepted answer. This is the accepted answer.John, I will need to check with dev and product management on the roadmap, but I am pretty sure the malwaredomains are still listed in the weekly auto update at present time.
Posted By Aaron.Breen
Re: Update Interval.2012-04-24T19:28:37ZThis is the accepted answer. This is the accepted answer.Hello,
I have a couple of questions regarding these lists:
Is it possible to update these lists separately from the other updates on the system?
How often does QRadar update the main list against those databases online?
Is there a script that could be use to add more list apart from the ones used currently?
Posted By Carlos Aguilera
Re: These updates are part of the2012-04-25T00:58:27ZThis is the accepted answer. This is the accepted answer.These updates are part of the "Configuration Updates", which include configuration file changes, vulnerability, QID map, and security threat information updates.
They get updated once a week.
You can add new lists in the Remote Networks on the admin tab. This GUI updates a text file in your config, remotenet.conf. Scripting changes to this file is possible, but I would suggest engaging Services to help you write an effective script. Maybe someone else has written one that they would like to share?
Posted By Xavier Ashe
Re: Reviewing the traffic to2012-06-15T12:46:50ZThis is the accepted answer. This is the accepted answer.Reviewing the traffic to remote nets I came across a few items which I don't know how to resolve - like why multicast addresses are listed as Bogon IPs. The prior Q&A and other posts about remote networks leads me to conclude that if I don't want 224.0.0/24 showing as a bogon netork, my changes will be deleted at the next update. Am I missing something or are these sources overly broad?
Posted By Sean @ MITRE
Re: We see the same thing and2012-11-08T15:53:07ZThis is the accepted answer. This is the accepted answer.We see the same thing and it's not misconfigured log sources. It's the Qradar system 99% of the time generating internal traffic on 127.0.0.0/8 ranges. The other problem is that multicast traffic IP ranges are part of the bogon IP list, which causes a similar problem.
Posted By mrcantr
Re: I have a script to add any source2012-12-14T16:22:27ZThis is the accepted answer. This is the accepted answer.Xavier, I wrote a script that can add any input source. We are using this for "Seculert". I'll clean it up and post it here.
Posted By Ventz Petkov
Re: Auto update external feed still current?2013-03-06T21:31:41ZThis is the accepted answer. This is the accepted answer.I am investigating integrating external feeds into QRadar. I did a search and found this post and the list on this link (https://qmmunity.q1labs.com/node/2831).
1. Are these public feed still the current sources?
2. Are the upgrade frequencies listed still valid?
3. I understand where the information from remotenet.conf and geodata.conf is utilize and presented on the console. But where does the information from socialnet.list appear on the console or get utilized?
4. Everything above relates to public feeds. I believe there is also a subscription feed from X-Force.
a. Does anybody know what data is provided with the subscription feed?
b. What is the frequency of the feed?
c. How will the information be presented to me on the console or how will I utilize the data? Is it similar to the public feeds and the information get populated into "remote networks"
Posted By Henry Li
PeterRasmussen 2700069EV81 Post
Re: Bot_Control, Targeted ports, Bogon IP's, Hostile Nets, etc - Where does QRadar get these address lists?2013-05-09T19:02:05ZThis is the accepted answer. This is the accepted answer.
Would it be possible to up the limit on Hostile IP from 20 to 100 or more ?
dwight s (IBM) 270006620U4 Posts
Re: Bot_Control, Targeted ports, Bogon IP's, Hostile Nets, etc - Where does QRadar get these address lists?2013-05-13T15:01:38ZThis is the accepted answer. This is the accepted answer.
- PeterRasmussen 2700069EV8
Hi Peter ...
Where are you thinking about increasing this limit at? I'll have to admit, I'm not sure where that limit is, that you're referring to.
harleyh 270006G5TT1 Post
Re: Bot_Control, Targeted ports, Bogon IP's, Hostile Nets, etc - Where does QRadar get these address lists?2013-07-08T18:30:03ZThis is the accepted answer. This is the accepted answer.
What's format is QRadar expecting? I'd like to be able to add custom/non-public feeds to a QRadar deployment. I found a Perl script (https://github.com/Harvard-ITSecurity/qradar-seculert-push) which can take feeds from Securelert but I'm not sure what all the output fields mean. Does anyone know how this works?
Uhaba 270004FKWE3 Posts2013-11-06T15:54:44ZThis is the accepted answer. This is the accepted answer.
Just to add to the questions above, is there a way to bulk import IPs into this list? I'm guessing under IBM, these fields only get pre-populated with an X-FORCE feed license?