[Oisf-users] IP Reputation and smart alerts

Russell Fulton r.fulton at auckland.ac.nz
Thu Aug 1 21:33:38 UTC 2013 

Hi

Just watched the ET/Plixar webinar — what caught my eye in the blurb was the mention of IP reputation.  This is something I am very interested in.

BTW Matt — thanks for running one at 1700 EDT — a very civilised 0800 here.  Did you have me in mind?  :)

I am seeing many trojan rules being triggered by what appear to be legitimate (for some value of legitimate) traffic particularly to Chinese IP addresses.  We have many thousands of Chinese students on campus so we see a lot of traffic to and from China.

I have come to the conclusion that there are at least two things going on here:
1/ we have some network layer software which is used in a variety of applications, some legit and some most definitely not.  The non legit apps may well have stolen the code from a legit app.
2/ there are a large number of Chinese tracking services — these things routinely report all sorts of stuff back home and many (most ?) of the free/cheap Chinese apps use them.  I have a strong suspicion that some malware does too.  So we see alerts for highly specific sig which are clearly detecting tracking data being sent out but the destination is clearly linked with some genuine software.

For the first category adding IP reputation into the alert criteria would really help here if it was find grained enough.

Dealing with the second issue is more problematic.  For most non edu sites someone talking to one of these monitoring site is probably worth looking into but for us it is just noise.  

Ideally we feed all this data into a SEIM - ids alerts, IP reputation, and have a heap of smart correlation rules to extract the signal.  I am starting to think that that approach could actually happen in the IDS and be subject to some global configuration setting.

Each rule has a reliability indicator and as traffic goes by the IDS maintains a score for each source.  When that threshold is exceeded then an alert is raised. In practice you would probably want to have a set of thresholds (warn, alert, critical) and you alert as an IP crosses these boundaries.

I effectively do this by hand every day.  I look at an alert and then pull all the alerts for that IP and possibly netflow and CIF data as well. What I really need is to have the confidence in the raw alerts that I can *automatically* inform support staff "this box is infected".

Russell

More information about the Oisf-users mailing list