[Oisf-users] ip reputation

Matt Jonkman jonkman at jonkmans.com
Wed Jan 13 17:56:25 UTC 2010


On Jan 13, 2010, at 11:35 AM, Kevin Ross wrote:

> Hi, and what sort of things can we expect from it? Will it be this IP is in a bad pool and you can block an IP of a poor rep automatically or increase the reliability of a sig for a block only like Cisco IPS 7 software or will it be more advanced? 
> 

Several things. You should be able to block any IP with a reputation below a certain number in certain categories. Say anything with a very bad rep in the spam category, or scanner, etc. 

We also will be able to query reputation in rules. So if we have a rule that false positives horrendously we can add a check that the reputaiton in a particular category (or overall average) is below a certain thing. If not then no alert. Not foolproof, but better!


> I remember in the last Hackin9 where you were mentioning about spotting botnets based on DNS ttls to detect fastflux dns to identify possible infections? With the compromied, rbn lists etc I find that tracking down malware which is not getting past the firewall so is just sending SYNs to a control server is flagged as it doesn't trigger virus sigs as there is no connection so I think IP reputation is going to be fantastic. 
> 

Yes! Very much. We can do a lot in dns and in the rbn lists with reputation. Essentially all that intelligence will move to ip reputation and allow us to use it in many more ways.

> Now if only there was a snort preprocessor or just an addon to take advantage of this for my home smoothwall.... ;) Once IP reputation is in and working fine I will probably move over my Snort sensors to securinica (or at least a few installs aound the place).
> 

Love to have you using our stuff! It's close to ready for prime time, but will be adding new features for some time to come!

> Great work though, I never expected it to move so fast to have a release already and main features appearing within months. 
> 

Neither did I frankly, but the guys we have on the team coding are just spectacular! Biggest brains in the business, and I don't think any of them have taken a day off in 6 months. :) 

Matt


> 
> 2010/1/13 Matt Jonkman <jonkman at jonkmans.com>
> Hey Pedro.
> 
> That's the big challenge we're getting solved soon. The idea we're trying out is to have central hubs distribute changes to a centralized DB. Nodes of the hub would report their last update and the hub would send them the diff from the main.
> 
> Maybe they'd load the initial db from a daily snapshot or something for a new sensor then get the diff's for the day. Not sure there yet. But the concept is that hubs will distribute info to and receive from sensors. That info received will be assimilated and redistributed.
> 
> That answer your question?
> 
> Matt
> 
> On Jan 13, 2010, at 11:07 AM, Pedro Marinho wrote:
> 
> > Victor,
> >
> > thanks for the answer. i was just wondering how this works.. if a suricata sensor would have to periodically retrieve the ip reputation information or something..
> >
> >
> > Message: 2
> > Date: Tue, 12 Jan 2010 11:43:22 +0100
> > From: Victor Julien <victor at inliniac.net>
> > Subject: Re: [Oisf-users] ip reputation
> > To: oisf-users at openinfosecfoundation.org
> > Message-ID: <4B4C524A.9040508 at inliniac.net>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Pedro Marinho wrote:
> > > Hello Gentlemen,
> > >
> > > I am trying to understand the ip reputation mecanism. Could anyone
> > > explain or point a paper ?
> > > i see this graph here but i can?t understand exactly how bad is the
> > > reputation just by looking at it..
> > > http://isc.sans.org/ipinfo.html?ip=202.111.175.157
> > >
> > > ps: newbie here
> >
> > Hi Pedro, we currently have no working code yet that does ip reputation.
> > We're expecting to have very basic functionality in about 2 to 3 weeks
> > and more extensive support later.
> >
> > Cheers,
> > Victor
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> > End of Oisf-users Digest, Vol 2, Issue 7
> > ****************************************
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> 
> ----------------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Open Information Security Foundation (OISF)
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> http://www.openinformationsecurityfoundation.org
> ----------------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinformationsecurityfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Oisf-users mailing list