[Discussion] Features

• Previous message (by thread): [Discussion] Features - Designing for Scaleability
• Next message (by thread): [Discussion] blog about oisf
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Glosser wrote:
> Going back to reputation scoring,  I think domains could be scored as well..
> 
>  Say reputation is from 0-100 (with 100 being bad enough to block:)
> 
> If a domain is on the same IP address as a bad site, it gets a score of 50.
> If a domain is an adjacent IP address as a bad site, it gets a score of 30.
> If a domain is on the same IP netblock as a bad site, it gets a score of 20.
> If a domain is fast-flux, it gets a score of 30
> If a domain has been registered within 30 days, it gets a score of 10.
> If a domain has been used for malspam, it gets a score of 100.
> etc.
> 
> This may be computationally intensive due to the reverse-ip lookups,
> so it may have to refreshed  every night or so...

On the note of centralized state, maybe the dns lookups could be
centrally stored but cached on each sensor. So in theory a central
process could do any lookups, or do refresh lookups, and propagate to
sensors?

Matt

> 
> 
> 
> 
>>>> Adjacent IPs are given a reputation score of 30.
>>>> All of the IPs in "Btrivo's" netblock are given a reputation score of 10.
>>>>
>>>> Two adjacent IP addresses each hosting malware each will get a score of
>>>> 90 (50+30+10).
>>>>
>>>> If malware goes away, score decreases each day. For each day host is
>>>> still up, score increases....
> 
> 
>>
>> On Wed, Oct 22, 2008 at 8:19 PM, Martin Holste <mcholste at gmail.com> wrote:
>>> I really like that idea.  It won't directly lead to blocking innocent
>>> IP's, but will still give the good guys a simple and reliable predictive
>>> capability.
>>>
>>> On Wed, Oct 22, 2008 at 7:04 PM, David Glosser <david.glosser at gmail.com>
>>> wrote:
>>>> Back to the idea of Spam-assassin scoring:
>>>>
>>>> Once a bad host is identified, then I'm wondering if IP reputation could
>>>> maybe using a "halo effect" whereby other IPs by the same provider are given
>>>> lower scores.
>>>>
>>>> Say reputation is from 0-100 (with 100 being bad)
>>>>
>>>> So if an IP on hosting provider "Btrivo" contains malware, that IP gets a
>>>> reputation score of 50.
>>>> Adjacent IPs are given a reputation score of 30.
>>>> All of the IPs in "Btrivo's" netblock are given a reputation score of 10.
>>>>
>>>> Two adjacent IP addresses each hosting malware each will get a score of
>>>> 90 (50+30+10).
>>>>
>>>> If malware goes away, score decreases each day. For each day host is
>>>> still up, score increases....
>>>>

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

• Previous message (by thread): [Discussion] Features - Designing for Scaleability
• Next message (by thread): [Discussion] blog about oisf
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]