[Discussion] What are we making? -- CLIENT Side

Matt Jonkman jonkman at jonkmans.com
Mon Oct 20 17:42:34 UTC 2008


David Glosser wrote:
> Based on other conversations with Matt concerning malwaredomains & the
> dns-bh list, there could be several BadNess lists/rules, hostility
> within the previous 24 hours, previous 48 hrs, previous 96 hrs, 1
> week, etc.
> 
> Then data file would only be super large for the full "BadNess" list
> and a few of the long ones.
> 
> Of course, "Enumerating Badness" is still reactive.
> 
> Matt, I know you've done things with predictive blacklisting.....
> http://www.emergingthreats.net/content/view/88/1/). Could this
> research be leveraged as well?

Just updated our website backend so the link you were probably looking
for is:
http://www.emergingthreats.net/index.php/component/content/article/18-research/88-hpb.html

This was work Dshield is publishing, which is really good stuff. I hope
we can contribute to and benefit from it in the engine.

But yes, ip reputation even is still reactive, but if published quickly
enough I think it's still very effective.

matt


> 
> 
> 
> 
> On Sun, Oct 19, 2008 at 9:36 PM, Frank Knobbe <frank at knobbe.us> wrote:
>> On Sun, 2008-10-19 at 14:30 -0500, Martin Holste wrote:
>>> Right, but I envision the XML to be the source that scripts would
>>> parse into whatever is needed, like router config, dns blocklists,
>>> host files, search engine blacklists, etc.  The key would be to create
>>> a standard capable of being specific enough to feed the lowest common
>>> demoninator.
>> Just be aware that there are lots and lots of hostile IP's. I'm not sure
>> XML is the proper format to deliver those since that data file would
>> balloon quite drastically :)
>>
>> -Frank
>>
>>
>>
>>
>> --
>> It is said that the Internet is a public utility. As such, it is best
>> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
>> against your ports.
>>
>>
>> _______________________________________________
>> Discussion mailing list
>> Discussion at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>
>>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Discussion mailing list