1 of 1 people found this helpful
- definitely any firewall egress filter/outbound traffic to a "bad IP"
- any other mechanisms you have to detect internal communication sources to a "bad IP" - router ACLs, IDS, local firewalls, authentication traffic, etc
- excessive traffic from a number of "bad IPs" might be a more targeted attack (or denial of service)
Many of the IPs in the lists are botnets, so for those you're primarily going to find value (or scary things, depending on how you look at it) in rules that look for internal-to-external communication (workstations, servers) outbound to any of those hosts. Inbound traffic from them is interesting in a probing/Denial of Service/targeted attack way, so you might set them to decent thresholds.
If you have to have any open ports or static NAT's, etc. inbound to a server or app, a rule to alert you when known threats are detected coming to that particular IP and perhaps actions to auto-block those external offenders could seriously hinder the attacker. This could be another layer of defense to protect your Internet facing nodes or nodes that shouldn't be doing anything questionable at all with the Internet, such as your servers that rarely browse the web or any credit card subnets, etc.