[Discussion] Features

• Previous message (by thread): [Discussion] Features
• Next message (by thread): [Discussion] Features
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2008/10/17 Matt Jonkman <jonkman at jonkmans.com>:
>
> 2. IP Reputation Sharing
> I want to feed these gigs of data I have and other projects have into my
> security devices and let it use that data to make smarter decisions. IP
> reputation isn't a new concept, but applying it in realtime will be a
> challenge. But this also opens us up to the possibility of sharing
> reputation data between ourselves.

Got to be a little bit careful here - I've seen my DNS servers appear
in dshield attack logs before, for entirely normal traffic. Another
time someone promoted a random domain controller to be a stratum 1 NTP
server and wondered why he was getting 'attacks' on port 123/udp. My
point is, it could be quite easy to pollute the data set with false
positives.

> 5. Scoring
> Spam-assassin style point scoring. This would go a long way to
> eliminating false positives. The absolutely sure 100% guaranteed true
> positive rules of course would still hit. But the ones that are wrong as
> often as right could be given a score, say a half a point. If something
> else happens from that host within a certain timeframe that pushes that
> over a threshold then all of these alerts come back and can be acted
> upon with more confidence they're real. Complicated, but worthwhile.

I guess my mental model for snort rules includes a degree of belief
that the alert is indicative of a real problem, plus an idea of
severity, if the alert is a real problem and not a false positive.

If I see a lot of traffic from 169.254/16, that's probably a genuine
alert because some end user has a misconfigured system, but I don't
really care too much about it.

If I see a sasser FTP transfer outound, probably a genuine alert and I
*really* care about that.

And then there are the NOP sled alerts which are usually false
positives, but if they are correct, they are important.

So I'd prefer it if we could use two numbers to score alerts with -
confidence and severity, so to speak. This approach might end up being
quite similar to the IP reputation system in a lot of ways.

cheers,
 Jamie
-- 
Jamie Riden / jamesr at europe.com / jamie at honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/

• Previous message (by thread): [Discussion] Features
• Next message (by thread): [Discussion] Features
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]