[Oisf-users] IP Reputation and smart alerts

Peter Bates peter.bates at ucl.ac.uk
Fri Aug 2 08:24:22 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 01/08/2013 22:33, Russell Fulton wrote:
> Each rule has a reliability indicator and as traffic goes by the IDS maintains a score for each source.  When that threshold is exceeded then an alert is raised. In practice you would probably want to have a set of thresholds (warn, alert, critical) and you alert as an IP crosses these boundaries.
> 
> I effectively do this by hand every day.  I look at an alert and then pull all the alerts for that IP and possibly netflow and CIF data as well. What I really need is to have the confidence in the raw alerts that I can *automatically* inform support staff "this box is infected".

We have a group of rules that we have nearly 100% confidence 
in that we specifically target - when we correlate those rules
with other indicators (EK hits, out of date Java, etc.) then the klaxons sound.

I was playing with DenyHosts the other day - specifically their 
'synchronization mode' where hosts share attacking IPs with each other
and thought it might be nice if wider information could be shared in a similar manner.

I guess it's very similar to the "Threat Intelligence" and cloud-y functions 
creeping into Next Generation Firewalls/AV/HIDS - an open standard would be nice
and obviously the 'network' could grow based on people wanting to share their
attack information - still needs infrastructure however.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR+2y2AAoJELhVoVpEMS6RTooH/A9/txfyCAKPpv14jSo0y3K0
5zoI7S+TF7TKWmwGXZesP58GWuOT+5gnxBIk27VMHpSdY+iwhAM2BzNu4RCg/I6R
/UomphY6Ty5TkJS5eOeOOrnH3fRPhks/nE6xR0yOUv8u0YyJabvJo20STuIb/a2l
+u32IOAN0EO6wfwjr8PJ+iKknaFCtQi+IiMTRudIBduveyLyBV90N1Ncaa9o5UgH
3RdgWAieqNNIb0kelPWIzjFjUOHIIIN433TVkzw6gZRRfy1r9DB3CvjYvHCFykwN
2y22pBUo4mheSvsgTpObUnZWRdajzKGRQjmslVNZvN9ixMb7f8DUNGhreCISe7o=
=aTmn
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list