Updated Blacklist Correlation for the Log Correlation Engine

Tenable has released an update to the blacklist.pl script and corresponding lce_tasl.prm library and TASL script. The new script uses input from the Internet Storm Center, Spamhaus and BleedingSnort to create a list of IP addresses and networks which may be of interest to your network. Any time the Log Correlation Engine detects one of these remote IP addresses or networks interacting with your network systems, an alert is generated. This can help find when your computers are interacting with SPAM or Botnet networks, or when you you have been scanned by a known hostile network. 

Previously, Tenable had released a PERL script which would periodically receive updates from the SANS Internet Storm Center and then use the isc-blacklist.tasl script along with netflow or sniffed TCP sessions (from the TNM or TFM agents). As of today though, the isc-blacklist.tasl has been replaced with the more generic blacklist.tasl and the original blacklist.pl script has been upgraded.

The new process allows for the blacklist.pl script to periodically go to three sources to obtain a list of IP addresses and networks that have been determined to be "hostile" or "malicious".

• The Internet Storm Center tracks IP addresses and networks which perform broad Internet scanning.
• Spamhaus releases their top 25 list of SPAM generators for free.
• The Bleeding Snort project also reports IP addresses and networks involved with large-scale Botnet command and control. This sub-project there is known as the ShadowServer Foundation.

This architecture lends itself to being more easily extended. As new lists of "bad" networks are published, they can be added to the blacklist.pl script without modification to the blacklist.tasl script.

The blacklist.pl script can be configured to connect to each of these sources and build a template list of "known bad" IP addresses and networks. The blacklist.tasl script uses this list of "known bad" sources and destinations and subscribes to your network and netflow sessions. When an IP address hits your network, a single alert is generated to minimize alerting for every scan, connection or email sent. Below are some example screen shots of this technology running in a variety of environments.

This network had 2462 "Blacklist_Conenction" events in the last 24 hours.

A sanitized list of some connection events going to many ports, including 6667, commonly used for IRC.

When the TASL script fires, it uses the data about the host obtained by the blacklist.pl script and a DNS lookup to generate the following type of log message:

Blacklist_Connection src - X.X.X.X dst - 1.2.3.4 , following is known about 1.2.3.4 , source of information - http://www.shadowserver.org , message - BleedingSnort-Bot , dns_lookup - example.network.dns.address.com

These messages can be used by other TASL scripts as well as LCE's statatisitcal engine.

Installing The blacklist.pl Script

Download the latest blacklist.tasl, blacklist.pl script from the Tenable Support site. Also make sure to update your LCE (Thunder) plugins to get the latest version of the lce_tasl.prm file.

Once this is accomplished, uncompress and untar the blacklist file distribution someplace on your LCE. There will be a file named blacklist.cfg inside the distribution and this needs to be edited.

The first part of the blacklist.cfg file specifics URLs to public sources of IP addresses or networks of interest. There are settings for ISC, BleedingSnort and Spamhaus. The format of these settings is as follows:

IP Address,Source of information,Message or info about the IP address,Country/Location,Email address to contact to report abuse,dns

If you have access to other sources of IP addresses, you can add it like this:

1.2.3.4,tenable.com,RIAA Abuser List,US,[email protected],S2-ESR-69-61-191-47.someplace.com

This allows you to extend the actual "Black Lists" file with IP's other than the ones listed on the above three sources.   

The second parameter is the THUNDER_SERVER= keyword. The IP address of the Thunder Server (Log Correlation Engine) should be added. If the blacklist.pl script is installed on the same server, then 127.0.0.1 should be used. If this is running on a different server, then the remote IP address of the LCE should be used.

Lastly, the script will lie dormant for a period of time and then reach out to the Internet to update the lists of networks. This period is specified by the FREQUENCY keyword in an amount of seconds. Whenever there is a new list of networks, a special message is sent to the LCE which causes the blacklist.tasl script to re-hash it's list of networks.

Note: If you happen to manually edit the list you need to restart the LCE.