2.14. BadFellas plugin

The Badfellas plugin subjects your organizations network traffic to scrutiny against millions of publicly blacklisted entities. If there is blacklisted activity detected :

  1. an alert is raised
  2. the internal host is flagged
  3. the flow that caused the alert is flagged

Badfellas malware tracker screenshot

The following items in your network traffic are scrutinized.

IP address

Matches IPs against blacklisted IPs

Domain

Matches blacklisted domain names, even if no response was received, or hidden in DNS records

HTTP Host

Checks if a HTTP host is blacklisted. Priceless when flagging shared hosts like badun.blogspot.com

URL

Checks HTTP GETs/POSTs of your network against well known evil ones

For HTTP Host and URL matching to work, you need to enable TCP Reassembly

2.14.1 Blacklists

The Badfellas package installs stub copies of the following blacklists. Trisul includes the ability to keep them updated automatically, see next section.

Some lists include a premium feed. Please contact the list distributor directly.
Name Type Source
ninja-chimp.txt Malicious IPs (could be noisy) Ninja Chimp Strike Force The data is comprised of information compiled from Arbor Networks, Project Honeypot, FIRE (maliciousnetwork.org), Host Exploit, Shadowserver and a variety of other similarly based sites.
dshield.txt Malicious/scanner IPs Dshield.org The well known DSHIELD list
malware-domain-list.txt Malware domain + urls Malware Domain List Domains hosting latest malware
malware-url-domains.txt Malware domains Malware URL The MalwareURL Team is a group of Internet security experts dedicated to fighting malware, Trojans and a multitude of other web-related threats. Need subscription
malware-url-urls.txt Specific malware URLS Malware URL Contact them to get a feed Need subscription
dns-blackhole.txt DNS blackhole list malwaredomains.com List keeps track of domains known to propagate malware and spyware
phish-tank.txt Anti phishing Phish Tank User submitted known phishing domains
tor.txt TOR nodes Checks if any of your network hosts are involved in TOR proxy activitiy
palevo-combined.txt PALEVO from abuse.ch abuse.ch Palevo Tracker Palevo C&C domains and IPs in a single file
zeustracker-ips.txt ZeuS C&C IP ZeuS Tracker at abuse.ch IP blacklist of ZeuS Command and Control hosts worldwide
zeustracker-domains.txt ZeuS C&C Domain ZeuS Tracker at abuse.ch domain blacklist of ZeuS C7C hosts
reputation.gz AlientVault Open Source Reputation Alien Vault OS Reputation Portal suspicious IPs

2.14.2 Setup

Stop Trisul Before installing, upgrading, or uninstalling please stop Trisul.

Installation

This plugin is distributed as a RPM / DEB package.


# on centos
rpm -Uvh trisul_badfellas-1.0.153-0.el5.x86_64.rpm
# on ubuntu
dpkg -i trisul_badfellas-1.0.153.amd64.deb
Upgrading

After installation of a new Badfellas release you need to delete the active configuration file. This is located in /usr/local/etc/trisul/PI-9FE3C6BC-BEB6-4320-A5BA-7993286D70DF.xml When Trisul is restarted, the configuration is rebuilt.

A sample install

When you install you should get an output like the following.


[root@localhost share]# rpm -Uvh trisul_badfellas-1.0.153-0.el5.x86_64.rpm
Preparing...                ########################################### [100%]
   1:trisul_badfellas       ########################################### [100%]
Creating temp staging area..
Creating consolidated Bad Fellas Tokyo Cab ..
Processing File /tmp/temp_trisul_badfellas_staging/usr/local/share/BadFellas/dns-blackhole.txt..25270 entries
Processing File /tmp/temp_trisul_badfellas_staging/usr/local/share/BadFellas/malware-domain-list.txt.......134498 entries
[root@localhost share]#

Uninstallation

Stop Trisul and uninstall the RPM or DEB

 
# centos
rpm -e trisul_badfellas
# ubuntu
dpkg -r  trisul_badfellas

Starting

Once installed, the plugin will be effective the next time you restart Trisul.

Updating database

The plugin will automatically download a fresh database at a set schedule. You can control when and how frequently this database is updated. See the Badfellas Malware section in the User Guide for more details.

2.14.3 Adding custom indicators into Badfellas blacklists

Step 1 : Create Tab Separated Indicator file

Using external mechanism place your custom feed in a Tab Separated file with the following format <FEEDNAME><TAB><IP/DOMAIN/URL><TAB><DESCRIPTION>

Step 2 : Add your file as a source feed for Badfellas automatic updates

Edit the badfellas configuration file.


cd /usr/local/share/trisul
./cfgedit
.. select badfellas

Add your file as a source feed to the automatic updates section in /usr/local/etc/trisul/PI-9FE3*.xml


    <!-- ***************************************************************** -->
    <!--    Local feed                                                     -->
    <!--     Any file named badfellas-local-*.tsv  will be processed       -->
    <!--     The file is a TAB separated file with the following fields    -->
    <!--     INTELSOURCE<TAB>KEY<TAB><DESCRIPTION>                         -->
    <!--     KEY = IP Address, Domain Name, URL                            -->
    <!-- ***************************************************************** -->
    <Source>
        <URL>file:///usr/local/share/trisul/plugins/badfellas-local.tsv</URL>
        <Target>badfellas-local-0.tsv</Target>
    </Source>

In the above snippet – the URL file://.... badfellas-local.tsv represents the source feed. Change it to your file or URL if you are hosting it on a website. The feed will be automatically refresh like the other sources.

Restart Trisul or wait for about 30 minutes for the feed to be picked up

You may also want to use the Badfellas Lookup Tool to check if any indicator from your feed has been integrated into the database. The lookup tool can be accessed from Tools > Show All > Badfellas Lookup