Watchlists Module
=================

    The watchlists module provides three views of hosts in your
    internal network that are participating in potentially dangerous
    behavior.

      * "Suspicious Host" traffic is data being sent by internal hosts
        to external hosts that are known to be untrustworthy.  Large
        amounts of communication with these hosts might suggest an
        active exploit, while small amounts of communication might
        represent scanning activity.

      * "Suspicious Port" traffic is data being sent by internal hosts
        to external hosts on ports that should generally not be
        exported.  Generally, this will represent scanning activity,
        but large amounts of traffic might indicate that a service
        (perhaps a file server) is being exported unintentionally
        across your borders.

      * "Dark Network Addresses" traffic is data being sent by
        internal hosts to network addresses that are known to not be
        active.  Communication to these addresses may be backscatter,
        or it may indicate that a local machine has been compromised
        and is scanning external addresses.

    In order to work properly, a number of SiLK ipset files must be
    created in ${prefix}/modules/watchlists/etc.

      * "internal.set" is required by all three of the views above.
        It should be a representation of your internal IP space.  It
        is recommended that you include all addresses routed to you,
        not only those address you know to be used by
        currently-existing hosts.

      * "blacklist.set" is required by the "Suspicious Host" view.
        This is an ipset of external addresses that you consider
        untrustworthy.

      * Finally, "darkspace.set" is required by the "Dark Network
        Addresses" view.  It should describe a space of addresses that
        you know to not be in use.  The provided "ianaXXXX.set" covers
        private and unallocated space as of this writing.  You might
        use this as a base for your own darkspace set.  Note that
        since some private use areas are commonly used by VPNs, you
        might need to exclude those from the set, depending on your
        sensor configuration.  (If network traffic to these addresses
        is being routed outside your local network, that's a problem.
        However, your sensors might be configured to observe internal
        network traffic, rather than traffic crossing the border.)