Jason Haar wrote:
On 12/17/2009 03:30 PM, Marc Perkel wrote:
Then the third filed is NONE. That's how I do it. But the idea is
that any kind of daya can be collectively gathered and distributed.
Instead of a TCP channel (which means software), what about using DNS?
If the SA clients did RBL lookups that contained the details as part
of the query, then if your end parses DNS logs (I'm thinking djbdns,
don't know about BIND), then you could extract the data yourself.
You could even introduce a token into the RBL to stop the bad guys
corrupting your corpus (a problem you'll have to deal with anyway
whatever the network mechanism).
e.g. (token == "834ufg754")
spam.1.2.3.4.834ufg754.newrbl.com
ham.5.6.7.8.834ufg754.newrbl.com
ie only the dns logs that contain valid tokens are legitimate
In this case the idea is to gather data in real time. So those who
gather data need to be able to send the data to a central place that
receives the data and then makes it available to everyone.
