WHACK List IPS Sensor Plugin (Snort Only)

Joseff Lewis > Blog | Projects | Security Research | Tips & Tricks

2019-07-26

What Is WHACK (White+Black) List?

Part (1/?)

In every corporate and personal network it is clear that current methods of preventing network attacks are not efficient. This several part blog post will investigate potential methods on preventing malicious IPs using a WHACK List, building a global profile of malicious IPs.

It is an adaptive blacklist based on publicly available intelligence from infected endpoints. This information could build a large adaptive database of blacklisted IPs that can be used by non-infected endpoints to prevent the possibility of an attack.

Additionally, using the programming language Python it may be possible to build this database based on IP System (Intrusion Prevention System) logs, automating the blacklist, increasing accessibility to legitimate users while keeping them secure.

As static IDS systems include blacklists through rules, it may be useful to extend this program to incorporate adaptive rule sets as some IDS’s may pick up on malicious signatures while others may not.

Therefore it may be useful for potentially vulnerable networks to adopt rule sets found on a central web server that can be downloaded and implemented (I understand that authorisation may need to be included as this might become a single point of failure, this will be discussed later).

This project was inspired by Kasperskys Threat Map, what if we could implement this into a global area network?:

What Are The Prerequisites for This Project?

Python v3.4+
- libs:
  - datetime
Snort IDS
Linux OS
Docker Engine
Nginx Server (In the testing stages, a container was used through Docker)