Identify suspicious connections and IP addresses
GyulyVGC opened this issue · 2 comments
Identify suspicious connections and IP addresses:
- such entries should be highlighted in:
- the network host list in Overview page
- the Inspect page table
- a new notification kind should be added to warn about suspicious connections
Suspicious entries could be identified using a collection of IP blacklists available online (see ipsum).
Proper handling of the download and usage of such resource should also be taken into account:
- download the resource on startup, only if the latest download is older than a certain date (one week?)
- store the resource in a local file (MMDB? SQLite? Text?)
- load the resource from memory on startup, or query it for each new observed IP address
- create mirrors of the resource on GitLab / BitBucket / other, in case the ipsum repo is down on GitHub
Another possibility is to use an API like Virustotal.
In order to make the function better for security researchers, I recommend making it possible to load a blacklist created by the user.
Seems reasonable.
Anyway I noticed while trying ipsum that using blacklist in Sniffnet is pretty useless.
This is because blacklisted IPs are usually from clients, while the IPs you normally monitor from a personal computer are server ones.
A different story if you use Sniffnet on a server instead of a PC, but I feel like there aren't many users doing so. But I may be wrong.