On Fri, Oct 22, 2010 at 12:08 PM, Jefferson, Shawn <[email protected]> wrote: >>- OSSEC (or OSSEC Pro) is has a correlation engine to use an IP >>address reputation service to calculate and return the risk of an IP >>address detected by OSSEC. (OSSEC Pro could include the use of Trend >>Micro's service, for example, and the open source version could simply >>have an API or framework to work with anything) > > This sparked some neurons in my brain to action, even though I haven't had my > full dose of morning caffeine yet. > > - Ossec could monitor the netstat output and match against the Dshield bad IP > lists, or other such lists. We would need a tool to download the list (lists > are available in Snort rules, Dshield and Emerging Threats both maintain > lists of bad IPs and Russian Business Network IPs), parse it into OSSEC rules. >
CDB lists can go a long way in helping with this. > - Have OSSEC watch and decode the user's web surfing history (index.dat) and > alert on anything in the Malware Domains List. (this might much more > difficult, as the index.dat is not an ASCII log.) > I use bro-ids and named logs with OSSEC to look for this type of data. If a request for a suspected bad hostname is made, OSSEC picks it out of the named logs (I also redirect these requests to an internal IP). If a suspected bad IP address is picked up in a DNS response, bro-ids triggers a bro alert on it, and OSSEC lets me know. I'll write up a blog on this at some point. > While things like this are possible with OSSEC, I wonder if it's the right > place to do this kind of thing after all? What about your firewall logs, and > aren't most Corporate environments using a proxy or some other web filtering > service already (like Websense)? > > With sample logs (*wink wink nudge nudge*) we can support websense, bluecoat, etc. I think most of them will do syslog. If anyone wants to send me the hardware, let me know. :P
