Since ThreatSTOP is an IP Reputation company, we naturally have a google news feed on the topic of 'IP reputation'. Today, for some reason, it provided a link to the IP reputation page of the firewall vendor SonicWALL. Naturally I had to test the page out to see how well it did. I picked the 4 addresses currently listed on our home page as being the "worst of the web":
The first of these addresses (220.127.116.11 from Japan) has been on our page for a few days now so I thought it would be likely to be listed by SonicWALL.
Just for reference here is a screenshot of the ThreatSTOP opinion of this address which lists 5 currently active entries in feeds plus one past entry:However all the feeds are basically server side ones, so it occurred to me that perhaps SonicWALL is biased to client side threats like Malware droppers, trojans and bots.
As you can see this one is much more of a threat to regular users. It's listed in the BLADE malware dropper list, a phishing list and two botnet C&C lists amongst others. So the hypothesis that SonicWALL's IP reputation is user centric seems to be untrue also.
Just for completeness I queried the two South Korean entries (18.104.22.168 and 22.214.171.124) in the SonicWALL IP reputation engine with similar results:
Needless to say, here at ThreatSTOP we know rather more about both and in fact the latter address (126.96.36.199) has been on a total of 8 different lists since the middle of May which is quite impressive and puts it in the running for the IP reputation award for "most depraved newcomer 2011"
Just for fairness I plugged the 4 addresses into McAfee's trusted source, which doesn't share data with us, and all four were reported as bad.
All in all it has to be said that theSonicWALL's IP reputation service seems to be rather less that efficacious. In fact it rather reminds me of 3 famous monkeys that are in the same country as the first IP address.