activecm / rita-bl Goto Github PK

According to this the FireHOL list has a low false positive rate.

Malware Domains is no longer a free feed. It redirects you to https://riskanalytics.com/community/

https://github.com/activecm/rita-bl/blob/master/sources/lists/dns-bh.go

I'm looking for ideas on how to prevent known non-malicious IPs, etc from ending up being flagged by RITA in the blacklisted module. For instance, 8.8.8.8 (one of Google's public DNS servers) made it into a blacklist that we use for a source. However, this IP is not malicious and RITA reporting it is a false positive.

I'm almost tempted to say this is an issue for the blacklist curators and that we are simply reporting them as they are. However, I don't want to have to manually go remove these values when we generate reports. And I don't want to have to explain why Google's DNS is reported as malicious.

I suggest keeping a text file in the repo of known good IPs, etc that people happen to find from time to time in the blacklists. Then rita-bl could use this list as a sort of global whitelist to prevent anything in it from appearing in the blacklists. We provide sensible defaults but if people would like to change them, they can edit the file. I'm worried that this is too closely related to whitelisting within RITA which we have decided to avoid thus far.

Thoughts? Would something like this be technically feasible?

Implement dependency vendoring by using golang/dep. This will pin us to certain versions of dependencies using a dependency metadata file (Gopkg.toml and Gopkg.lock). This file will allow reproducible development and deployment environments and hopefully avoid future issues where dependencies introduce incompatible changes.