Skip to content
davidstelter edited this page Sep 13, 2010 · 4 revisions

Make the lookup of an IP address somehow programmable.

Award points to it somehow reflected elsewhere (call this the google evil weight) if e.g., the lookup via google IP malware
scores a bunch of points.

Make this programmable by putting a list of places to look (and how to do it … which will vary
from place to place in the database, and some way to add to it).

Some places to look:

  • senderbase
  • dshield.org
  • samspade.org
  • reverse dns: http://www.bfk.de/bfk_dnslogger.html/?query=131.252.246.54&submit=Query
  • triumf: http://andrew.triumf.ca/cgi-bin/gethost?131.252.246.54

Sorting

Snort has the idea of $HOME_IP. This should be useable in the backend for sorting.
Basically signatures can be viewed as being either $HOME_IP as src or not $HOMEIP_as src.

a) Sort by hits on all sigs (which ip has most hits)

variation 1: filter by hits on $HOME_IP as src, $HOME_IP as dst

b) same as above, but within priorities (this is what snortsnarf does except it doesn’t have the $HOME_IP as src capability

c) smart algorithm:

sort by: signature count * total alerts

(gives this $HOME_IP as src filter same as variation 1 under a. To me this is the most important filter)

d) include priorities within c as an alternative: basically since snort priorities are 0..N where 0 is low, give it a weight (lookup table or function) where 0 has the highest weight, then algorithm above becomes:

sort by: weighted_priority * sig. count * total alerts

e) sort by who has the biggest ocunt of unique alerts

Clone this wiki locally