[Discussion] Features
Matt Jonkman
jonkman at jonkmans.com
Wed Jan 7 01:00:52 UTC 2009
David Glosser wrote:
> Going back to reputation scoring, I think domains could be scored as well..
>
> Say reputation is from 0-100 (with 100 being bad enough to block:)
>
> If a domain is on the same IP address as a bad site, it gets a score of 50.
> If a domain is an adjacent IP address as a bad site, it gets a score of 30.
> If a domain is on the same IP netblock as a bad site, it gets a score of 20.
> If a domain is fast-flux, it gets a score of 30
> If a domain has been registered within 30 days, it gets a score of 10.
> If a domain has been used for malspam, it gets a score of 100.
> etc.
>
> This may be computationally intensive due to the reverse-ip lookups,
> so it may have to refreshed every night or so...
On the note of centralized state, maybe the dns lookups could be
centrally stored but cached on each sensor. So in theory a central
process could do any lookups, or do refresh lookups, and propagate to
sensors?
Matt
>
>
>
>
>>>> Adjacent IPs are given a reputation score of 30.
>>>> All of the IPs in "Btrivo's" netblock are given a reputation score of 10.
>>>>
>>>> Two adjacent IP addresses each hosting malware each will get a score of
>>>> 90 (50+30+10).
>>>>
>>>> If malware goes away, score decreases each day. For each day host is
>>>> still up, score increases....
>
>
>>
>> On Wed, Oct 22, 2008 at 8:19 PM, Martin Holste <mcholste at gmail.com> wrote:
>>> I really like that idea. It won't directly lead to blocking innocent
>>> IP's, but will still give the good guys a simple and reliable predictive
>>> capability.
>>>
>>> On Wed, Oct 22, 2008 at 7:04 PM, David Glosser <david.glosser at gmail.com>
>>> wrote:
>>>> Back to the idea of Spam-assassin scoring:
>>>>
>>>> Once a bad host is identified, then I'm wondering if IP reputation could
>>>> maybe using a "halo effect" whereby other IPs by the same provider are given
>>>> lower scores.
>>>>
>>>> Say reputation is from 0-100 (with 100 being bad)
>>>>
>>>> So if an IP on hosting provider "Btrivo" contains malware, that IP gets a
>>>> reputation score of 50.
>>>> Adjacent IPs are given a reputation score of 30.
>>>> All of the IPs in "Btrivo's" netblock are given a reputation score of 10.
>>>>
>>>> Two adjacent IP addresses each hosting malware each will get a score of
>>>> 90 (50+30+10).
>>>>
>>>> If malware goes away, score decreases each day. For each day host is
>>>> still up, score increases....
>>>>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list