maltrail VS metadata

I just wanted to tell you about Maltrail (https://github.com/stamparm/maltrail/).

Yes, MT had OOM on *BSD, because of python-pcapy module, which is currently unmaintained. So, the fork was done and python-pcapy-ng becomes actual module for MT, which fixed OOM and now MT works OK for *BSD-line: [1] https://github.com/stamparm/maltrail/issues/19056 [2] https://github.com/stamparm/maltrail/issues/16710 [3] py-pcapy-ng on Fresh Ports: https://www.freshports.org/net/py-pcapy-ng/ Also /requirement.txt file was modified for MT to avoid installing python-pcapy instead of python-pcapy-ng: [4] https://github.com/stamparm/maltrail/commit/2aa2da5ba5c332ddd106020290926d1fdfd0f8b2 Despite on all it, some mass-medias keep saying that python-pcapy is required for MT to work. No, just python-pcapy-ng. "Given everything is now encrypted, does anyone know if it is still effective?" <-- IDS (MT is the IDS itself) is passive detection, it doesn't provide the prevention actions. MT can use blocking mechanism, they are describes for Linux: https://github.com/stamparm/maltrail/wiki/Miscellaneous#1-setting-up-maltrail-as-an-intrusion-prevention-system-ips . If some can describe mechanism for MT on *BSD-line, that would be nice. Anyway would be thankful, if you provide details on missing ransomware. Perhaps, it is needed to update network IoCs, if ransomware comprometation was via network. Thank you! "Are the signatures reasonably up to date?" <-- trying to be up-to-dated: https://github.com/stamparm/maltrail/commits/master

Security Onion is a suite of tools, but if you just want visibility into things happening on your perimeter with Fail2ban style mitigation check out MalTrail. https://github.com/stamparm/MalTrail

The Threat Intelligence Feeds have multiple upstream sources, see https://github.com/nextdns/metadata/blob/master/security/threat-intelligence-feeds.json. In this case, Maltrail Blacklist seems to have included this domain. You can report this directly to that maintainer here: https://github.com/stamparm/maltrail/issues

last docker discovery : maltrail (https://github.com/stamparm/maltrail , about to be moved from VM to docker)

Which list is blocking archive.org? If "NextDNS Ads & Trackers Blocklist", probably some kind of mistake, write about it - https://github.com/nextdns/metadata/issues

You can find the NextDNS lists here: https://github.com/nextdns/metadata

You can always look at github. This is just the activity for their metadata repo: https://github.com/nextdns/metadata/commits/masterFeel free to check their other repos.

NextDNS gives you a whole bunch of 3rd party filters, maintained by random dudes in Github repos as a hobby. We support some of them too in the "3rd party filters" tab, however we don't encourage anyone to actually use them, as we have our own Native filters, that we've built up over the course of 5 years based on feedback for millions of Windscribe (our sister company) users. Our native filters are highly effective, and prone to much fewer false positives. We recommend you try them, you will be pleasantly surprised with how they perform. I guarantee you that you will spend 90% less time making whitelist rules for false blocks... or your money back :) "Native tracking protection" filters are all part of the IoT Filter. NextDNS has the individual toggles, which enforce this small set of rules. Out IoT filter enforces all of them, as well as 10x more things.

Here is the list: https://github.com/nextdns/metadata/blob/master/parentalcontrol/categories/video-streaming.json

Here's those native blocking lists from NextDNS: https://github.com/nextdns/metadata/tree/master/privacy/native

From https://github.com/nextdns/metadata/blob/master/privacy/blocklists/energized-ultimate.json the link used is https://block.energized.pro/ultimate/formats/domains.txt which currently contains nothing but comments.