Was just wondering if anyone had any further insight into what the IP groups in the etnetera/aggressive rules map to?
I checked around the website and the twitter announcement feed hasn’t been updated since 2018, although the rules are updated regularly. https://twitter.com/etnsec
Here is a snip-it of what most of the 430 rules look like, note I removed a majority of the IP addresses for readability.
The rules have approximately 20-30 ip addresses and then the Group number is incremented, so Group 0 through Group 430.
alert ip [156.96.156.172,...,61.177.173.26] any -> $HOME_NET any (msg:"**ETN AGGRESSIVE IPs Group 0";** reference:url,https://security.etnetera.cz/feeds/etn_aggressive.txt; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:5000000; rev:1612823401;)
I sent an email off to the info email address on their website about a week ago, but haven’t heard back.
Did you ever get an answer to this? I have several alerts popping up in the last couple of days related to these rules.
I have tried changing ‘alert’ to ‘drop’ and re-adding the rule, as well as iptable rules to drop those packets, but not sure what the best way to stop this kind of scanning on my network is. I have one from “zenworks” a cloud based company, I’ve never heard of, another a security company looking to map devices on the internet…
I did not hear back and a separate twitter feed looks to be more active but maybe more company focused verses threat feed. I ended up removing this feed. While the groupings of addresses might be useful in a correlation engine of sorts, without knowing any of the context of what the grouping represents the alert is not directly actionable.
Just a reminder that you should make sure you understand what the rules are doing before deploying them. The curator of these rules likely identified each of the IP addresses as “aggressive”, of course, but those rules may have no meaning in your deployment scenario.