John Strand and Black Hills Security developed a project called:
http://www.blackhillsinfosec.com/?page_id=4417 They developed a set of beaconing specs which 'm wondering if we can reproduce in OSSEC. Here's what I'm looking for: Beaconing: Connections that happen frequently and on similar intervals could be an indicator of malware calling home. Blacklisted IPs: Blacklisted IPs are addresses reported as being involved with malware, spamming, and other dangerous activities Scanning: These events occur when a computer attempts to connect to a large number of ports on a system, searching for vulnerabilities. I think this has traditionally been about active defenses. Long Duration Connections: Connections that are beyond the length of average on a network could indicate a compromised system Long URLs: Longer than normal URLs could potentially be used to transfer malicious data into the system Concurrent Logins: A user being logged into a high number of systems could indicate that this user's account or original system has been compromised -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
