[Discussion] What are we making? -- CLIENT Side
Matt Jonkman
jonkman at jonkmans.com
Fri Oct 24 15:43:01 UTC 2008
Ya, we're definitely interested in getting all ideas on the board. We
have time to iron them out and choose what we go after now vs later vs
never. Or things we spawn into sub-projects.
Matt
David Glosser wrote:
> I think listing all possible actions is a good exercise, then, after
> brainstorming is over, deciding what is best.
>
> For example, for granny, there's blocking/preventing at the browser
> level, blocking/preventing at the OS, at her home router, via DNS, via
> IP, etc. then there's blocking (or null routing, etc) at her ISP,
> bringing down the host, contacting the hosting provider, etc...
>
>
>
>
> On Wed, Oct 22, 2008 at 7:35 PM, Martin Holste <mcholste at gmail.com
> <mailto:mcholste at gmail.com>> wrote:
>
> I like the idea, but are there really that many different actions to
> be taken, and aren't they going to be org specific? If I know that
> an IP is spamming, I don't just want to block them from emailing, I
> want to block all access from that IP since it is untrustworthy.
> But I do think there is a lot of value in developing and
> distributing better language for describing why the given IP/host is
> now on the list and other descriptions. I'm more for giving orgs
> the most information that we can, and leaving it to them to
> implement the actual blocking decisions.
>
> --Martin
>
>
> On Wed, Oct 22, 2008 at 5:35 PM, Blake Hartstein <urule99 at gmail.com
> <mailto:urule99 at gmail.com>> wrote:
>
> What if we focus on developing and distributing a better
> language for
> communicating actionable events?
> The idea is to make all intelligence more valuable and
> immediate. If I
> see this input event, alert, network, ISP, javascript, URL, how
> does it
> impact me, and what do I do about it? Instead of just collecting and
> distributing, the goal is to direct the actions for (ISP takedown,
> firewall, admin action, more). This enhances all of the prior
> research
> we've already done.
>
>
> Blake
>
>
>
> robert.jamison at bt.com <mailto:robert.jamison at bt.com> wrote:
> > It seems we're a split camp with:
> >
> > [Keynesian CAMP]
> > Client Side Product/Service with ability to protect/detect
> compromise on
> > grannyx home user
> > *scope most thoroughly represented by Martin's " RFC: Proposal for
> > Analysis Framework"
> >
> > [Supply Side CAMP]
> > Focus on server side protection for net critical assets
> > *Andre/Jack "What is absolutely horrible in its current state is
> > IDS/IPS" / "Client side is simply not possible due to
> political and
> > religious issues."
> >
> > Additional notes gathered (I've just caught up on my reading;-)
> >
> > (a) Consideration for re-write defanging capability as inline
> protection
> > (b) Efficiency in stream storage--essentially normalize data
> inspection
> > so it doesn't have to be redone by multiple engines
> > (c) XML vs. Binary distribution of verbose alerts vs. instruction
> > inferred datapoints
> > (d) Consideration for extending existing project Bro
> >
> > Anything I'm missing?
> >
> > Rob
>
>
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> <mailto:Discussion at openinfosecfoundation.org>
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list