stamparm / maltrail

Malicious traffic detection system
MIT License
6.6k stars 1.09k forks source link

Feature Request: Sources #113

Open dbinoj opened 8 years ago

dbinoj commented 8 years ago

Is adding these sources feasible?

https://otx.alienvault.com/api/ https://www.spamhaus.org/drop/ DROP & EDROP

Open Threat eXchange (otx.alienvault.com) requires users to have an API key (free). We can set it as an configurable value. If user does not configure it, that feed is skipped.

stamparm commented 8 years ago

A) https://reputation.alienvault.com/reputation.generic is already being used. Original idea was to rely only on open sources, while the /api/ requires extra steps. Also, alienvault is known for lots of noise, so adding another feed from them would introduce lots of junk B) Spamhaus DROP is better to be used as a prevention on mail appliance than to monitor it on Maltrail. I mean, without blocking those IPs you would get lots of noise coming from those SPAM bots

dbinoj commented 8 years ago

Thanks for clearing things up. BTW, I would still recommend on Spamhaus list cos its better to have visibility that spam traffic is loitering in the network so that network security teams monitoring the network can urge mail admins and firewall admins to block the IPs just in case something fails on mail appliance's side. These SPAM bots use these IPs to spread malware anyway. It is never bad when detecting for malicious activities from multiple locations :) If there is any other concerns which I am not seeing, please let me know