Skip to main content

Include / exclude logic

Every source in an EDL Deployment is either included (+, green), excluded (-, red), or unset. This page describes how ELLIO resolves the final IP set when sources overlap.

The single rule

Excludes always win over includes.

If an IP appears in any included source and any excluded source, the IP is not in the EDL.

That's the whole rule. The rest of this page explains why each source type behaves the way it does given that rule.

Per-source-type behaviour

ELLIO Threat Lists

  • Include MAX (or 250K, 100K, RDP) → all the list's IPs are candidates for the EDL.
  • Exclude MAX → guarantees no MAX IP appears, even if a custom ruleset adds one of the same IPs.

MAX itself excludes RECON IPs at generation time, so including MAX does not include Censys, Shodan, etc. To include those, include their dedicated RECON list.

RECON Lists

  • Include Censys → Censys IPs become candidates.
  • Exclude Censys → guarantees no Censys IP appears, even if MAX accidentally lists one or your custom blocklist contains one.

Most production deployments exclude the scanners they trust (Shadowserver, Rapid7) and include the ones they don't.

Common Business Services

  • Include Cloudflare CDN → all Cloudflare CDN IPs are candidates for the EDL.
  • Exclude Cloudflare CDN → guarantees no Cloudflare CDN IP appears, even if MAX or your custom ruleset would have added one.

Most deployments exclude the CBS members their stack depends on (CDN, M365, Google Workspace) and otherwise leave CBS unset.

My External IP Lists (BYOIPB)

  • Include a BYOIPB source → all its IPs are candidates.
  • Exclude a BYOIPB source → guarantees none of its IPs appear.

Useful for staging: ingest a community blocklist as BYOIPB, exclude it while you measure false positives, then flip to include when you're satisfied.

My IP Rulesets

  • Include an Allowlist ruleset → don't. Allowlist rulesets are designed to be excluded from blocklist EDLs.
  • Exclude an Allowlist ruleset → guarantees the IPs you've allow-listed never appear in the EDL.
  • Include a Blocklist ruleset → adds your custom blocklist IPs to the EDL.
  • Exclude a Blocklist ruleset → guarantees those IPs are never in the EDL (rarely useful).

The default rulesets that ship with every workspace nudge you in the right direction with their built-in descriptions:

  • "My Allowlist rules - Default allowlist ruleset. Do not forget to exclude this ruleset when creating your custom blocklist."
  • "My Blocklist rules - Default blocklist ruleset. Do not forget to include this ruleset when creating your custom blocklist."

Resolution order

When ELLIO regenerates an EDL it walks every source the deployment references and computes:

  1. The union of every included source's IPs.
  2. The union of every excluded source's IPs.
  3. The final EDL = (1) minus (2).

CIDR ranges expand notionally during this calculation - excluding 198.51.100.0/24 removes every individual IP that would otherwise have appeared.

Allowlist EDL Deployments

If your Purpose is Allowlist (Configuration → Metadata) the same logic applies, but inverted from a firewall perspective: only IPs in the EDL are allowed by your firewall. The wizard's metadata is purely organisational - the firewall decides whether the EDL is used as an allowlist or a blocklist based on which security policy references the URL.

A worked example

Imagine you're building a typical production ingress blocklist:

SourceChoiceWhy
ELLIO Threat List MAXIncludeBackbone of the blocklist.
RECON: Censys, BinaryEdge, Cortex Xpanse, Driftnet, InfraWatch, Internet Census, InternetTL, LeakIX, NetScout, Nokia Deepfield, Stretchoid, BufferOver, ShodanIncludeBlock these scanners.
RECON: Shadowserver, Rapid7ExcludeTrust these scanners - they send free abuse reports.
CBS Cloud Providers → AWSExcludeSome of your customers run on AWS; don't block them.
CBS CDNs → CloudflareExcludeYou sit behind Cloudflare.
CBS SaaS → Microsoft 365ExcludeYour tenants live on M365.
BYOIPB → vendor C2 listIncludeVendor's high-confidence C2 feed.
My IP Rulesets → My Allowlist rulesExcludeYour safety net for false positives.
My IP Rulesets → My Blocklist rulesIncludeYour hand-curated additions.

The resulting EDL contains: MAX + 13 RECON lists + the C2 list + your custom blocklist - minus Shadowserver, Rapid7, AWS, Cloudflare, M365, and your allowlist.

If anything ever blocks something it shouldn't, add the affected IP to My Allowlist rules and the next regeneration cycle (5 min – 24 h depending on update frequency) will remove it.

Last updated on