Friday, February 01, 2008

The Harimau Watchlist

The other day Spoonfork and I have discussion about the Global Watchlist and we think that it can assist network security analyzt in certain way. Therefore Spoonfork started to work it out and here's the first alpha version of Global Watchlist -

http://watchlist.security.org.my/watchlist

So what's the function of this watchlist anyway, basically we pull the list of suspected malicous IPs/Net ranges from different sources such as Sans dshield, Arbor atlas and so forth, then putting all of them in one place. This can assist security analyzt during their operation especially when they need to determine certain suspected IP is doing what, they can just query the IP at the watchlist link and see if it matches and identify them quickly.

The reason why we put them together not because of eliminating the usefulness of the original site but making use of them efficiently(I don't think you will want to go to each original site and query the IP one by one) so it's best to have the global watchlist that pull everything together and this eases the job of the security analyzt. In fact all the credits goes to the original party as usual.

A lot of virus/malwares researchers rely on Virustotal and we think we should have something for network security analyzt, in fact dakrone will create the module for you to query the IP from NSM Console.

For the moment, you can also query the IP with command line -

shell>curl http://watchlist.security.org.my/watchlist/show?ip=131.247.1.101 | grep '131.247.1.101'

131.247.1.101,www.emergingthreats.net/rules/bleeding-botcc.rules,botcc,2008-01-31 17:15:55

You may notice that we name our global watchlist as The Harimau Watchlist . If you don't know what is Harimau, it means Tiger in Malay Language, thanks to Spoonfork for such creative name ;P

Enjoy ;]

5 comments:

Anonymous said...

Excellent work guys...

Keep up the contribution towards the world of network security.

May the world be a better place

Anonymous said...

If the world would be a better place, then we dont need security anymore, which will make us boring :)

Anonymous said...

Greatly appreciated efforts.
Thank you!

Anonymous said...

Wow! Top work, guys. Did exactly what is was set up to do. IP in sustained attack identified as phish and b&.

Elhoim said...

The list looks really interesting.
Would it be possible to get access to it, please?