[Oisf-users] IP Reputation and smart alerts

Peter Bates peter.bates at ucl.ac.uk
Fri Aug 2 08:24:22 UTC 2013

Hash: SHA1

Hello all

On 01/08/2013 22:33, Russell Fulton wrote:
> Each rule has a reliability indicator and as traffic goes by the IDS maintains a score for each source.  When that threshold is exceeded then an alert is raised. In practice you would probably want to have a set of thresholds (warn, alert, critical) and you alert as an IP crosses these boundaries.
> I effectively do this by hand every day.  I look at an alert and then pull all the alerts for that IP and possibly netflow and CIF data as well. What I really need is to have the confidence in the raw alerts that I can *automatically* inform support staff "this box is infected".

We have a group of rules that we have nearly 100% confidence 
in that we specifically target - when we correlate those rules
with other indicators (EK hits, out of date Java, etc.) then the klaxons sound.

I was playing with DenyHosts the other day - specifically their 
'synchronization mode' where hosts share attacking IPs with each other
and thought it might be nice if wider information could be shared in a similar manner.

I guess it's very similar to the "Threat Intelligence" and cloud-y functions 
creeping into Next Generation Firewalls/AV/HIDS - an open standard would be nice
and obviously the 'network' could grow based on people wanting to share their
attack information - still needs infrastructure however.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list