To avoid false positive, how can we create a whitelist of IP or Range of IP. I tried to create a IP whitelist by using resolving IP of the whitelist domain. Do you guys have any idea?
Asked
Active
Viewed 197 times
2 Answers
0
The question is not completely clear to me. I don't understand exactly why you need a whitelist IP but as far as I know it's better to have a block/black list IP rather than a white list.
it might be the case the IP address w.x.y.z is clean today and somehow someone hack the server tomorrow and serve malicious content. So the IP is not clean anymore!
Having a daily IP blocklist is better since there are lots of services out there which serve such lists (for different types of abuse like spam, malware and phishing) and you can use them on a daily basis.
Sourena
- 181
- 5
0
If you have access to an enterprise firewall/proxy logs or PCAP data, you can extract the traffic from that environment, do DNS resolution to get the IPs, sort the output from most most hits to lowest, then grab the top N ones as they would probably be commonly used hosts like Google, YouTube, Facebook etc.
The problem with this approach is that reputation is fleeting: I've seen malware on Google Drive, Dropbox, Discord, Onedrive, Pastebin and also Github. Reputation is only as good as the hosting company is to remove malware from their sites. Some are fast to take down malware after reports, some are not.
You can also use statistical ranking data like Alexa to resolve FQDNs into IPs, just be aware that ranking does not equate to morality/acceptable use policy as there are plenty of torrent and porn sites listed on Alexa that you may not want to allow to fly under the radar on your corporate network.