I’ve had my hands on some Cisco FireSight/FirePower gear for a few months. I spent some time digging for some info on the SourceFire Security Intelligence Feed categories, and sources for the addresses included in the feed. Basically, I wanted a better description for some of the categories (although most of them are self-explanatory), and i wanted to know where they were aggregating information aside from what is populated by VRT/Talos. It wasn’t the most readily available information when I was searching for it, so I’m sharing some of what I found here.
As it turns out, if you SSH in to your FireSight (previously known as Defense Center) host and view rep_dd.yaml from the /var/sf/iprep_download/ directory, there are some longer explanations given for what each category is and the sources. Here is a consolidated list of the sources and categories:
| Sources | |
| VRT Intelligence Service | A comprehensive blacklist for enterprise users that contains information on botnets, exploit sites, malicious URLs, and other nefarious activity.This is a proprietary list of addresses that is maintained by the VRT team (now known as Talos at Cisco). |
| Feodo Tracker | A continually updated list of all malicious Feodo/Cridex/Bugat sites catalogued at feodotracker.abuse.ch |
| Malware Domain List | A continually updated list of all malicious URLs offered by the free service malwaredomainlist.com |
| Palevo Tracker | A Continually updates list of all malicious Palevo sites catalogued at palevotracker.abuse.ch |
| SpyEye Tracker | A continually updated list of all malicious SpyEye sites catalogued at spyeyetracker.abuse.ch |
| ZeuS Tracker | A continually updated list of all malicious ZeuS sites catalogued at zeustracker.abuse.ch |
| Categories | |
| Attackers | Hosts that are continually scanning for vulnerabilities or attempting to exploit other systems |
| Bogon | IP Addresses that are known to not be allocated but are sending traffic |
| Bots | Hosts that are actively participating as part of a botnet, and are being controlled by a known botnet contoller |
| CnC | Hosts that have been identified as the controllering servers for a known Botnet |
| Malware | Hosts that are attempting to propogate malware or are actively attacking anyone who visits them |
| Open Proxy | Hosts that are known to run Open Web Proxies and offer anonymous web browsing services |
| Open Relay | Hosts that are known to offer anonymous email relaying services used by spam and phishing attackers |
| Phishing | Hosts that are actively attempting to trick end users into entering confidential information like usernames and passwords |
| Response | Addresses that have been repeatedly observed engaging in suspicious or malicious behaviorOr, as @JoelEsler said when I asked him on twitter – “The Response category is where we send things to die. :) Those are specifically from the research team and are active campaigns.” |
| Spam | Hosts that have been identified as the source of sending spam email messages |
| Suspicious | Hosts that are displaying suspicious activity and are under active investigation |
| Tor Exit Nodes | Hosts known to offer exit node services for the Tor Anonymizer network |
This info may be blatantly obvious, but after correlating Sources to Categories:
- Feodo Tracker addresses are always CnC
- Malware Domain List addresses are always Malware
- Palevo Tracker addresses are always CnC
- Zeus Tracker addresses are always CnC, and they’re the 2nd most populated list right now
- There are no SpyEye addresses, but I assume they would also be CnC
- The VRT Intel list contains more addresses than any other list (by far) at over 10,000 entries, and they are from all categories with the exception of Bogon, Open Proxy, Open Relay, and Suspicious, which are each empty lists at the moment.
I CAN'T HACK IT ...OR CAN I? 