-
Notifications
You must be signed in to change notification settings - Fork 1
BinkleySuggestions
Award points to it somehow reflected elsewhere (call this the google evil weight) if e.g., the lookup via google IP malware
scores a bunch of points.
Make this programmable by putting a list of places to look (and how to do it … which will vary
from place to place in the database, and some way to add to it).
Some places to look:
- senderbase
- dshield.org
- samspade.org
- reverse dns: http://www.bfk.de/bfk_dnslogger.html/?query=131.252.246.54&submit=Query
- triumf: http://andrew.triumf.ca/cgi-bin/gethost?131.252.246.54
Snort has the idea of $HOME_IP. This should be useable in the backend for sorting.
Basically signatures can be viewed as being either $HOME_IP as src or not $HOMEIP_as src.
a) Sort by hits on all sigs (which ip has most hits)
variation 1: filter by hits on $HOME_IP as src, $HOME_IP as dst
b) same as above, but within priorities (this is what snortsnarf does except it doesn’t have the $HOME_IP as src capability
c) smart algorithm:
sort by: signature count * total alerts
(gives this $HOME_IP as src filter same as variation 1 under a. To me this is the most important filter)
d) include priorities within c as an alternative: basically since snort priorities are 0..N where 0 is low, give it a weight (lookup table or function) where 0 has the highest weight, then algorithm above becomes:
sort by: weighted_priority * sig. count * total alerts
e) sort by who has the biggest ocunt of unique alerts