2.14. BadFellas plugin

The Badfellas plugin subjects your organizations network traffic to scrutiny against millions of publicly blacklisted entities. If there is blacklisted activity detected :

  1. an alert is raised
  2. the internal host is flagged
  3. the flow that caused the alert is flagged
Badfellas malware tracker screenshot

Blacklist Alerts

The following items in your network traffic are scrutinized.

IP address

Matches IPs against blacklisted IPs

Domain

Matches blacklisted domain names, even if no response was received, or hidden in DNS records

HTTP Host

Checks if a HTTP host is blacklisted. Priceless when flagging shared hosts like badun.blogspot.com

URL

Checks HTTP GETs/POSTs of your network against well known evil ones

SSL Certificate

Checks SHA1 fingerprint

For HTTP Host and URL matching to work, you need to enable TCP Reassembly

2.14.1 Location

In a file called PI-9FE3C6BC-BEB6-4320-A5BA-7993286D70DF.xml in /usr/local/etc/trisul-probe/domainX/probeX/contextX Use the cfgedit tool.

2.14.2 Blacklists

The Badfellas package installs stub copies of the following blacklists. Trisul includes the ability to keep them updated automatically, see next section.

Some lists include a premium feed. Please contact the list distributor directly.
Name Type Source
dns-blackhole.txt DNS blackhole list malwaredomains.lehigh.edu List keeps track of domains known to propagate malware and spyware
dshield.txt Malicious/scanner IPs Dshield.org The well known DSHIELD list
feodotracker-ips.txt IP Blocklist feodotracker.abuse.ch contains IP addresses (IPv4) used as C&C communication channel by the Feodo Trojan.
malware-domain-list.txt Malware domain + urls Malware Domain List
Domains hosting latest malware
malware-url-domains.txt Malware domains Malware URL The MalwareURL Team is a group of Internet security experts dedicated to fighting malware, Trojans and a multitude of other web-related threats. Need subscription
malware-url-urls.txt Specific malware URL Malware URL Contact them to get a feed Need subscription
phish-tank.txt Anti phishing Phish Tank User submitted known phishing domains
Quantcast-Top-Million.txt Domains Contains top domains list
Ransomware_DOMBL.txt Domains Ransomware Domain Blocklist show list of ransomware domain
Ransomware_IPBL.txt IPs Ransomware Domain IPs show list of ransomware IPs
Ransomware_URLBL.txt URLs Ransomware Domain URLs show list of ransomware urls
sslblacklist.csv SSL Blacklist SSL Blacklist contains list of bad SSL certificates
top-1m.csv Domains Contains top 1 million domains list
tornodes.txt TOR nodes TOR nodes Checks if any of your network hosts are involved in TOR proxy activitiy
zeustracker-domains.txt Domains Zeus Tracker domain contains list of bad domains
zeustracker-ips.txt IPs Zeus Tracker IPs contains list of bad IPs

2.14.3 Setup

Stop Trisul Before installing, upgrading, or uninstalling please stop Trisul.

Installation

This plugin is distributed as a RPM / DEB package.


# on centos
rpm -Uvh trisul_badfellas-1.0.153-0.el5.x86_64.rpm
# on ubuntu
dpkg -i trisul_badfellas-1.0.153.amd64.deb
Upgrading

After installation of a new Badfellas release you need to delete the active configuration file. This is located in /usr/local/etc/trisul-probe/domain0/probe0/context0/PI-9FE3C6BC-BEB6-4320-A5BA-7993286D70DF.xml When Trisul is restarted, the configuration is rebuilt.

A sample install

When you install you should get an output like the following.


[root@localhost share]# rpm -Uvh trisul_badfellas-1.0.153-0.el5.x86_64.rpm
Preparing...                ########################################### [100%]
   1:trisul_badfellas       ########################################### [100%]
Creating temp staging area..
Creating consolidated Bad Fellas Tokyo Cab ..
Processing File /tmp/temp_trisul_badfellas_staging/usr/local/share/BadFellas/dns-blackhole.txt..25270 entries
Processing File /tmp/temp_trisul_badfellas_staging/usr/local/share/BadFellas/malware-domain-list.txt.......134498 entries
[root@localhost share]#

Uninstallation

Stop Trisul and uninstall the RPM or DEB

 
# centos
rpm -e trisul_badfellas
# ubuntu
dpkg -r  trisul_badfellas

Starting

Once installed, the plugin will be effective the next time you restart Trisul.

Updating database

The plugin will automatically download a fresh database at a set schedule. You can control when and how frequently this database is updated. See the Badfellas Malware section in the User Guide for more details.

2.14.4 Adding custom indicators into Badfellas blacklists

Step 1 : Create Tab Separated Indicator file

Using external mechanism place your custom feed in a Tab Separated file with the following format <FEEDNAME><TAB><IP/DOMAIN/URL><TAB><DESCRIPTION>

Step 2 : Add your file as a source feed for Badfellas automatic updates

Edit the badfellas configuration file.


cd /usr/local/share/trisul-probe
./cfgedit
.. select badfellas

Add your file as a source feed to the automatic updates section in /usr/local/etc/trisul-probe/domain0/probe0/context0/PI-9FE3*.xml


    <!-- ***************************************************************** -->
    <!--    Local feed                                                     -->
    <!--     Any file named badfellas-local-*.tsv  will be processed       -->
    <!--     The file is a TAB separated file with the following fields    -->
    <!--     INTELSOURCE<TAB>KEY<TAB><DESCRIPTION>                         -->
    <!--     KEY = IP Address, Domain Name, URL                            -->
    <!-- ***************************************************************** -->
    <Source>
        <URL>file:///usr/local/share/trisul/plugins/badfellas-local.tsv</URL>
        <Target>badfellas-local-0.tsv</Target>
    </Source>

In the above snippet – the URL file://.... badfellas-local.tsv represents the source feed. Change it to your file or URL if you are hosting it on a website. The feed will be automatically refresh like the other sources.

Restart Trisul or wait for about 30 minutes for the feed to be picked up