Binary Defense Systems (BDS) is proud to announce the release of Artillery version 1.4. This version adds several new features. The first is the ability to hook into multiple threat intelligence feeds and incorporate that into the normal banlist threat intelligence feeds from Artillery. The inspiration came from Deep Impact (@DeepImpactIO) and a blog post written here: http://www.deepimpact.io/blog/splunkandfreeopen-sourcethreatintelligencefeeds. With Artillery, there are new configuration options available that allow you to specify multiple source feeds outside of Artillery’s threat intelligence feeds. In order to enable these feeds, edit the Artillery config and change the option to ON (which is default now):
# PULL ADDITIONAL SOURCE FEEDS FOR BANNED IP LISTS FROM MULTIPLE OTHER SOURCES OTHER THAN ARTILLERY
This will now pull from the following locations and automatically add them to banlist.txt which can be used for your detection capabilities internally:
# pull source feeds
url = [‘http://rules.emergingthreats.net/blockrules/compromised-ips.txt’,’https://zeustracker.abuse.ch/blocklist.php?download=badips’,’https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist’,’http://malc0de.com/bl/IP_Blacklist.txt’]
Artillery will poll these IP addresses every two hours looking for new IP addresses. If new IP addresses are identified they will automatically be added to Artillery’s banlist.
Additionally, we’ve added the ability to cycle through IP addresses within Artillery as the IP addresses of attackers continuously change.
You can edit this and turn this feature on below:
# RECYCLE LOGS AFTER A CERTAIN AMOUNT OF TIME – THIS WILL WIPE ALL IP ADDRESSES AND START FROM SCRATCH AFTER A CERTAIN INTERVAL
# RECYCLE INTERVAL AFTER A CERTAIN AMOUNT OF MINUTES IT WILL OVERWRITE THE LOG WITH A BLANK ONE AND ELIMINATE THE IPS – DEFAULT IS 7 DAYS
After 7 days, the banlist will be removed and a new one started.
Full changelog below:
* added the ability to remove old records after a certain interval – this will overwrite the banlist and start from scratch based on certain time intervals – options are available under the config files
* added multiple feeds based on the script from http://www.deepimpact.io/blog/splunkandfreeopen-sourcethreatintelligencefeeds – much appreciated. Artillery can now pull from multiple banlist IP addresses and will continue to add onto these as time goes on
* added new functions to handle multiple different aspects including downloading files and new additions for parsing through banlist ips
* turned banning to OFF by default and added threat intelligence feed to ON as defaults
* added a check to turn on intelligence feed and also turn off ban if it is selected in the options this will allow you to pull intelligence feeds, check IP addresses, and add to banlist, but not actively ban