Re: Local BL support?
On Jun 11, 2014, at 2:27 PM, Philip Prindeville
philipp_s...@redfish-solutions.com wrote:
Okay, might have a module ready to test.
Here’s what I came up with.
I should probably add uri_block_isp as well, but this is more problematic.
It requires a licensed database which the user may or may not have, so I have
to detect that and handle it gracefully.
Also the names of ISP’s can contain spaces and punctuation, so I’ll need
quoting.
As far as I know, names are limited to the ASCII alphabet for now (yay 1980’s
technology!!!).
I don’t bother to see if multiple URI’s match against the blacklist… I stop
when I see the first one.
I test for country codes before address block matches. Arguably the latter
would be quicker, so I might make that the first test.
Lastly, I don’t do the asynchronous address lookup… and I have to admit I don’t
understand why this isn’t done for us by get_uri_detail_list() or whatever
populates that hash.
Rather than having things like:
hosts = {
‘nqtel.com’ = ‘nqtel.com’
}
why not have it be pre-populated for us, such as:
hosts = {
‘nqtel.com’ = [ 107.158.249.74 ]
}
for instance?
Anyway, here’s the script. I don’t do a lot of volume so I’m okay with
synchronous lookups, but if someone else wants to make that change I’d be happy
to incorporate it.
http://ur1.ca/hiltd
Re: Local BL support?
On Jun 9, 2014, at 4:27 PM, John Hardin jhar...@impsec.org wrote: On Mon, 9 Jun 2014, Philip Prindeville wrote: On Jun 9, 2014, at 3:36 PM, John Hardin jhar...@impsec.org wrote: On Mon, 9 Jun 2014, Axb wrote: On 06/09/2014 10:46 PM, Philip Prindeville wrote: I’d like to add a plugin (and eventually share it once the bugs are out) that uses either Net::CIDR::Lite to allow manual entry of IP-based blacklists for known offending address blocks, or else using the Geo::IP module to blacklist based on the country or ISP. Is there a prototype Plugin that I could use for doing parsing/looking up the URI’s hostname? Since I’m using a local database without network access, it could happen synchronously… The standard SA URIBL.pm ? put your data in a local NS instance (rbldnsd, bind, whatever you prefer) Second URIBL.pm. For small sites it would be nice if it supported specifying a netblock explicitly in the rule. If you're only doing a few that would be easier than setting up a zone or rbldnsd. You might look at extending URIBL.pm to do that. I’m happy to try doing that, since I know Perl and need this… I’m just lacking on the expertise about doing SA modules… Anyone want to walk me through it? Ths URIBL module is already there. If you know Perl it should be fairly easy to look at the existing code and add a variant where it accepts a netblock spec instead of a URIBL hostname and does the IP comparison to that rather than performing a DNS query… Okay, might have a module ready to test. Which reminds me: is there a way to test a module off-line without inserting it into a production flow if you only have one machine to test with? I suppose I could use a --configfile=… to load this module separately, and run it in test mode… -Philip
Re: Local BL support?
On 06/11/2014 10:27 PM, Philip Prindeville wrote: Which reminds me: is there a way to test a module off-line without inserting it into a production flow if you only have one machine to test with? I suppose I could use a --configfile=… to load this module separately, and run it in test mode… VirtualBox on your local machine could help...
Local BL support?
I’d like to add a plugin (and eventually share it once the bugs are out) that uses either Net::CIDR::Lite to allow manual entry of IP-based blacklists for known offending address blocks, or else using the Geo::IP module to blacklist based on the country or ISP. It would need to expose parts of the API depending on how it detects the presence of modules, I suppose. Not sure if it’s worth making run-time detection of the Geo::IP licenses and databases do the same. Is there a prototype Plugin that I could use for doing parsing/looking up the URI’s hostname? Since I’m using a local database without network access, it could happen synchronously… Thanks, -Philip
Re: Local BL support?
On 06/09/2014 10:46 PM, Philip Prindeville wrote: I’d like to add a plugin (and eventually share it once the bugs are out) that uses either Net::CIDR::Lite to allow manual entry of IP-based blacklists for known offending address blocks, or else using the Geo::IP module to blacklist based on the country or ISP. It would need to expose parts of the API depending on how it detects the presence of modules, I suppose. Not sure if it’s worth making run-time detection of the Geo::IP licenses and databases do the same. Is there a prototype Plugin that I could use for doing parsing/looking up the URI’s hostname? Since I’m using a local database without network access, it could happen synchronously… Thanks, The standard SA URIBL.pm ? put your data in a local NS instance (rbldnsd, bind, whatever you prefer)
Re: Local BL support?
On Mon, 9 Jun 2014, Axb wrote: On 06/09/2014 10:46 PM, Philip Prindeville wrote: I’d like to add a plugin (and eventually share it once the bugs are out) that uses either Net::CIDR::Lite to allow manual entry of IP-based blacklists for known offending address blocks, or else using the Geo::IP module to blacklist based on the country or ISP. Is there a prototype Plugin that I could use for doing parsing/looking up the URI’s hostname? Since I’m using a local database without network access, it could happen synchronously… The standard SA URIBL.pm ? put your data in a local NS instance (rbldnsd, bind, whatever you prefer) Second URIBL.pm. For small sites it would be nice if it supported specifying a netblock explicitly in the rule. If you're only doing a few that would be easier than setting up a zone or rbldnsd. You might look at extending URIBL.pm to do that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You are in a maze of twisty little protocols, all written by Microsoft. -- 739 days since the first successful private support mission to ISS (SpaceX)
Re: Local BL support?
On Jun 9, 2014, at 3:36 PM, John Hardin jhar...@impsec.org wrote: On Mon, 9 Jun 2014, Axb wrote: On 06/09/2014 10:46 PM, Philip Prindeville wrote: I’d like to add a plugin (and eventually share it once the bugs are out) that uses either Net::CIDR::Lite to allow manual entry of IP-based blacklists for known offending address blocks, or else using the Geo::IP module to blacklist based on the country or ISP. Is there a prototype Plugin that I could use for doing parsing/looking up the URI’s hostname? Since I’m using a local database without network access, it could happen synchronously… The standard SA URIBL.pm ? put your data in a local NS instance (rbldnsd, bind, whatever you prefer) Second URIBL.pm. For small sites it would be nice if it supported specifying a netblock explicitly in the rule. If you're only doing a few that would be easier than setting up a zone or rbldnsd. You might look at extending URIBL.pm to do that. I’m happy to try doing that, since I know Perl and need this… I’m just lacking on the expertise about doing SA modules… Anyone want to walk me through it? -Philip
Re: Local BL support?
On Mon, 9 Jun 2014, Philip Prindeville wrote: On Jun 9, 2014, at 3:36 PM, John Hardin jhar...@impsec.org wrote: On Mon, 9 Jun 2014, Axb wrote: On 06/09/2014 10:46 PM, Philip Prindeville wrote: I’d like to add a plugin (and eventually share it once the bugs are out) that uses either Net::CIDR::Lite to allow manual entry of IP-based blacklists for known offending address blocks, or else using the Geo::IP module to blacklist based on the country or ISP. Is there a prototype Plugin that I could use for doing parsing/looking up the URI’s hostname? Since I’m using a local database without network access, it could happen synchronously… The standard SA URIBL.pm ? put your data in a local NS instance (rbldnsd, bind, whatever you prefer) Second URIBL.pm. For small sites it would be nice if it supported specifying a netblock explicitly in the rule. If you're only doing a few that would be easier than setting up a zone or rbldnsd. You might look at extending URIBL.pm to do that. I’m happy to try doing that, since I know Perl and need this… I’m just lacking on the expertise about doing SA modules… Anyone want to walk me through it? Ths URIBL module is already there. If you know Perl it should be fairly easy to look at the existing code and add a variant where it accepts a netblock spec instead of a URIBL hostname and does the IP comparison to that rather than performing a DNS query... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws focus obsessively on a tool a criminal might use to commit a crime rather than the criminal himself and his act of violence. --- 739 days since the first successful private support mission to ISS (SpaceX)
