<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>Since ThreatSTOP is an IP Reputation company, we naturally have a google news feed on the topic of 'IP reputation'. Today, for some reason, it provided a link to the <a href="http://ipreputation.global.sonicwall.com/view">IP reputation page of the firewall vendor SonicWALL</a>. Naturally I had to test the page out to see how well it did. I picked the 4 addresses currently listed on our home page as being the "worst of the web":</p> <!--more--><p></p> <div class="caption"> <a href="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/worstaddresses.png"><img class="size-full wp-image-370" title="Worst Addresses" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/worstaddresses.png" alt="The Worst IP Addresses for 4 Aug 2011" width="267" height="168"></a> </div> <p></p> <p>The first of these addresses (49.212.100.60 from Japan) has been on our page for a few days now so I thought it would be likely to be listed by SonicWALL.</p> <p><a href="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/49-212-100-60-sonicwall-1.png"><img class="aligncenter size-full wp-image-371" title="49.212.100.60-sonicwall" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/49-212-100-60-sonicwall-1.png" alt="SonicWALL's IP reputation for 49.212.100.60" width="500" height="211"></a>Just for reference here is a screenshot of the ThreatSTOP opinion of this address which lists 5 currently active entries in feeds plus one past entry:<a href="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/49-212-100-60-threatstop.png"><img class="aligncenter size-full wp-image-372" title="49.212.100.60-threatstop" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/49-212-100-60-threatstop.png" alt="The real IP reputation of 49.212.100.60" width="500" height="214"></a>However all the feeds are basically server side ones, so it occurred to me that perhaps SonicWALL is biased to client side threats like Malware droppers, trojans and bots.</p> <p>Well I tried the next entry (209.85.51.152 - USA) and SonicWALL was still oblivious to any threat from it:<a href="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/209-85-51-152-sonicwall-1.png"><img class="aligncenter size-full wp-image-373" title="209.85.51.152-Sonicwall" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/209-85-51-152-sonicwall-1.png" alt="" width="500" height="208"></a>while when I entered that address into our database I got even more hits:<a href="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/209-85-51-152-threatstop.png"><img class="aligncenter size-full wp-image-374" title="209.85.51.152-Threatstop" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/209-85-51-152-threatstop.png" alt="" width="500" height="134"></a></p> <p>As you can see this one is much more of a threat to regular users. It's listed in the BLADE malware dropper list, a phishing list and two botnet C&amp;C lists amongst others. So the hypothesis that SonicWALL's IP reputation is user centric seems to be untrue also.</p> <p>Just for completeness I queried the two South Korean entries (112.175.243.22 and 112.175.243.24) in the SonicWALL IP reputation engine with similar results:</p> <p><a href="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/112-175-243-22-sonicwall.png"><img class="alignnone size-thumbnail wp-image-375" title="112.175.243.22-Sonicwall" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/112-175-243-22-sonicwall-2.png" alt="" width="150" height="63"></a> <a href="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/112-175-243-24-sonicwall.png"><img class="alignnone size-thumbnail wp-image-376" title="112.175.243.24-Sonicwall" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/112-175-243-24-sonicwall-2.png" alt="" width="150" height="63"></a></p> <p>Needless to say, here at ThreatSTOP we know rather more about both and in fact the latter address (112.175.243.24) has been on a total of 8 different lists since the middle of May which is quite impressive and puts it in the running for the IP reputation award for "most depraved newcomer 2011"</p> <p><a href="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/112-175-243-24-threatstop-1.png"><img class="alignnone size-full wp-image-377" title="112.175.243.24-Threatstop" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/112-175-243-24-threatstop-1.png" alt="" width="500" height="134"></a></p> <p>Just for fairness I plugged the 4 addresses into McAfee's trusted source, which doesn't share data with us, and all four were reported as bad.</p> <p>All in all it has to be said that theSonicWALL's IP reputation service seems to be rather less that efficacious. In fact it rather reminds me of 3 famous monkeys that are in the same country as the first IP address.</p> <p><a href="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/3monkeys-1.jpg"><img class="aligncenter size-full wp-image-378" title="See no evil, hear no evil, speek no evil" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/3monkeys-1.jpg" alt="Mizaru kikazaru iwazaru" width="409" height="139"></a>This isn't exactly the attitude I'd want for an IP reputation service.</p></span>
