[Oisf-users] ip reputation
Kevin Ross
kevross33 at googlemail.com
Wed Jan 13 16:35:33 UTC 2010
Hi, and what sort of things can we expect from it? Will it be this IP is in
a bad pool and you can block an IP of a poor rep automatically or increase
the reliability of a sig for a block only like Cisco IPS 7 software or will
it be more advanced?
I remember in the last Hackin9 where you were mentioning about spotting
botnets based on DNS ttls to detect fastflux dns to identify possible
infections? With the compromied, rbn lists etc I find that tracking down
malware which is not getting past the firewall so is just sending SYNs to a
control server is flagged as it doesn't trigger virus sigs as there is no
connection so I think IP reputation is going to be fantastic.
Now if only there was a snort preprocessor or just an addon to take
advantage of this for my home smoothwall.... ;) Once IP reputation is in and
working fine I will probably move over my Snort sensors to securinica (or at
least a few installs aound the place).
Great work though, I never expected it to move so fast to have a release
already and main features appearing within months.
Kev
2010/1/13 Matt Jonkman <jonkman at jonkmans.com>
> Hey Pedro.
>
> That's the big challenge we're getting solved soon. The idea we're trying
> out is to have central hubs distribute changes to a centralized DB. Nodes of
> the hub would report their last update and the hub would send them the diff
> from the main.
>
> Maybe they'd load the initial db from a daily snapshot or something for a
> new sensor then get the diff's for the day. Not sure there yet. But the
> concept is that hubs will distribute info to and receive from sensors. That
> info received will be assimilated and redistributed.
>
> That answer your question?
>
> Matt
>
> On Jan 13, 2010, at 11:07 AM, Pedro Marinho wrote:
>
> > Victor,
> >
> > thanks for the answer. i was just wondering how this works.. if a
> suricata sensor would have to periodically retrieve the ip reputation
> information or something..
> >
> >
> > Message: 2
> > Date: Tue, 12 Jan 2010 11:43:22 +0100
> > From: Victor Julien <victor at inliniac.net>
> > Subject: Re: [Oisf-users] ip reputation
> > To: oisf-users at openinfosecfoundation.org
> > Message-ID: <4B4C524A.9040508 at inliniac.net>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Pedro Marinho wrote:
> > > Hello Gentlemen,
> > >
> > > I am trying to understand the ip reputation mecanism. Could anyone
> > > explain or point a paper ?
> > > i see this graph here but i can?t understand exactly how bad is the
> > > reputation just by looking at it..
> > > http://isc.sans.org/ipinfo.html?ip=202.111.175.157
> > >
> > > ps: newbie here
> >
> > Hi Pedro, we currently have no working code yet that does ip reputation.
> > We're expecting to have very basic functionality in about 2 to 3 weeks
> > and more extensive support later.
> >
> > Cheers,
> > Victor
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> > End of Oisf-users Digest, Vol 2, Issue 7
> > ****************************************
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100113/6435f56a/attachment-0002.html>
More information about the Oisf-users
mailing list