Guest Diary: Xavier Mertens - Playing with IP Reputation with Dshield & OSSEC
[Guest Diary: Xavier Mertens] [Playing with IP Reputation with Dshield & OSSEC]
When investigating incidents or searching for malicious activity in your logs, IP reputation is a nice way to increase the reliability of generated alerts. It can help to prioritize incidents. Let's take an example with a Wordpress blog. It will, sooner or later, be targeted by a brute-force attack on the default /wp-admin page. In this case, IP reputation can be helpful: An attack performed from an IP address reported as actively scanning the Internet will not (or less) attract my attention. On the contrary, if the same kind of attack is coming from an unkown IP address, this could be more suspicious...
By using a reputation system, our monitoring tool can tag an IP address with a label like "reported as malicious" based on a repository. The real value of this repository depends directly of the value of collected information. I'm a big fan of dshield.org (https://www.dshield.org), a free service provided by the SANS Internet Storm Center. Such service is working thanks to the data submitted by many people across the Internet. For years, I'm also pushing my firewall logs to dshield.org from my OSSEC server. I wrote a tool to achieve this: ossec2dshield (https://github.com/xme/ossec2dshield). By contributing to the system, it's now time to get some benefits from my participation: I'm re-using the database to automatically check the reputation of the IP addresses attacking me. We come full circle!
To achieve this, let's use the API (https://isc.sans.edu/api/) provided on isc.sans.org and the OSSEC (http://www.ossec.net) feature called "Active-Response" which allows to trigger a script upon a set of conditions. In this example, we call the reputation script with our attacker address for any alert with a level >= 6.
The ISC API can be used to query information about an IP address. The returned results are:
The script can be configuration with a YAML configuration file (default to /etc/isc-ipreputation.conf) which is very easy to understand:
database:
network:
The script is available on my github repository (https://github.com/xme/toolbox/blob/master/isc-ipreputation.py).
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago