>- OSSEC (or OSSEC Pro) is has a correlation engine to use an IP >address reputation service to calculate and return the risk of an IP >address detected by OSSEC. (OSSEC Pro could include the use of Trend >Micro's service, for example, and the open source version could simply >have an API or framework to work with anything)
This sparked some neurons in my brain to action, even though I haven't had my full dose of morning caffeine yet. - Ossec could monitor the netstat output and match against the Dshield bad IP lists, or other such lists. We would need a tool to download the list (lists are available in Snort rules, Dshield and Emerging Threats both maintain lists of bad IPs and Russian Business Network IPs), parse it into OSSEC rules. - Have OSSEC watch and decode the user's web surfing history (index.dat) and alert on anything in the Malware Domains List. (this might much more difficult, as the index.dat is not an ASCII log.) While things like this are possible with OSSEC, I wonder if it's the right place to do this kind of thing after all? What about your firewall logs, and aren't most Corporate environments using a proxy or some other web filtering service already (like Websense)?
