Two Blacklists

Tshiddah_Shallal · March 16, 2022, 5:57pm

hi there,

I want to ask if it is possible to use two different blacklists at the same time.

One Blacklist should come from the lists I insert manually, but there are still some other websites I check personally if I want to blacklist them.

so I need another blacklist (perhaps a dark blue list) that I can see damn this are the websites you never should to whitelist.

can you please help me

jfb · March 16, 2022, 6:02pm

I don't fully understand your question. Can you be more specific? Walk me through the details of what you are trying to accomplish.

Bercik · March 17, 2022, 6:38pm

@Tshiddah_Shallal if you want TWO blacklists, you could use workaround by setting up one as your own subscritpion and second would be "regular" blacklist

@jfb I had trouble understanding what he meant, but I think i got it, in fact I have the same request/problem if my understanding is correct. Let me give you an example:

I own a rather big network. Continuously looking for any suspicious activity (hacked, illegal activity, basically anything not welcome).

So far we have these options:

whitelist (allow even if it's on subscription list)
blacklist

When I browse through a lot of queries, I see multiple blocks and allowed. Among them, SOME queries are rather unusual. There could be a thousands of legit queries, and between them something fishy that is not blocked (on subscription list).

Right know only way I can filter using webui is: only blocked, only allowed - What i'm missing is: "known" and "unknown" website.

Example usage: I'd mark *.facebook.com *.gmail.com *.youtube.com and many other trusted destinations as know so I could simply filter them out (regardless if specific query has been blocked for spying or something / or not)

Not to confuse "known" with "whitelist", putting it on "known" won't cause entire domain to be accepted. All manual and subscription blacklist still apply.
Then after adding all "popular" destinations, browsing through logs would be supercool.

So far i'm doing this manually copying to excel end filtering it out. But it's not just boring, repetative - but I duplicate a lot of work unnecessarily (i already recognize youtube, tiktok, origin, steam and soooo many other hits that could have been excluded)

With this "known/not-known" or "known/new" feature after few iterations checking for anything "new" would be literally just few simple clicks.

If you decide it's worth considering , I can even create new topic for this if needed.

So far 350 000 queries daily and it's only rising....

yubiuser · March 17, 2022, 7:09pm

This is exactly what "Tools/Audit log" is for. It will only list domains which you haven't audited before. Once you clicked audit or black/whitelist from that audit log page they will not be shown there. If you do this regularly, only new so far un-audited domains will be shown.

Bercik · March 19, 2022, 3:15pm

Just checked it out @yubiuser it looks promising, but is there a trick to not only see TOP queries? I'm auditing top allowed right now, but the list goes on and on and on...
It may happen that when they single user opens up something naughty once or twice - and this request will be at the very bottom of this toplist.

yubiuser · March 19, 2022, 3:24pm

Yes, the list is ordered by number of times this particular domain has been requested. Once you have audited the top once the list will be refilled with domains requested less often. If you are looking for domains only requested once or twice, you need to go through all others before. But remember: you only need to do this whole process only once.

Bercik · March 19, 2022, 3:46pm

That's true, only once.
So I can almost treat this as closed case.

Final question (i promise )
Is it possible for future, to get a global audit option then? Like
*.google.com
*.microsoft.com
and so on.
I spent last 20min on clicking some tiktok and youtube CDNs...

I know, once but... c'mon. Prefix/regex is allowed in block/white lists. Just one step away from being also here

Bercik · March 25, 2022, 4:33pm

It's been six days... i'm still clicking audit. There must be another way.

yubiuser · March 25, 2022, 9:23pm

You really want that?. You might miss ads.google.com

Bercik · March 26, 2022, 5:44am

haha, good point, but THIS is why i mentioned it should be (and it is) a separate list. Not related to blacklist/whitelist. So "auditing" should not interfere with blocks.

I just woke up and check status. In top10 8 out of 10 currently listed are "known" to me. 1000th subdomain of Microsoft, amazon, some VODs and so on. Just two domains are new to me. It's like reverse Pareto

Tshiddah_Shallal · March 29, 2022, 2:17pm

I want to see in the query Log the domains I blacklisted in another colour then the domains which are blacklisted over the lists