SlideShare ist ein Scribd-Unternehmen logo

Build an IP Reputation Engine

RootedCON
RootedCON

La presentación tratará acerca del sistema de reputación IP, accesible de forma libre, desarrollado en Alienvault. Se explicará el funcionamiento de todas sus partes, lo que incluye sus fuentes de información, las metodologías de recopilación de datos y el procesado de los mismos. Se tratarán temas como análisis automatizado de malware, algoritmos para perfilar datos y evitar falsos positivos, la forma de recibir retroalimentación, el uso de recursos muy diferentes en el sistema, así como las dificultades que hemos tenido a la hora de desarrollarlo.

Technologie
1 von 38
Building an IP Reputation engine Tracking the miscreants
Index 1. What is IP Reputation 2. Open Source IP Reputation Portal 3. How is the engine 4. Feeding the engine 5. Current integrations
Index 1. What is IP Reputation 1.1. The problem 1.2. What is IP Reputation? 1.3. What is an IP Reputation engine? 1.4. Features of an IP Reputation engine 2. Open Source IP Reputation Portal 3. How is the engine 4. Feeding the engine 5. Current integrations
The problem Security analyst: “How many of my network connections are going to bad sites?”
What is IP Reputation? IP Reputation is a summary of the past behavior activity detected on an IP An IP with reputation information add context when a network connection is observed
What is an IP Reputation engine? An IP Reputation engine is a system to classify and score large sets of IPs, in low or high reputation
Features of an IP Reputation engine Updated information Accurate values associated to every IP Assign activity classification to every IP Range of detection
Index 1. What is IP Reputation 2. Open Source IP Reputation Portal 3. How is the engine 4. Feeding the engine 5. Current integrations
Open Source IP Reputation Portal http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/
A register in the reputation.data file: <IP>#<RELIABILITY>#<RISK>#<ACTIVITY>#<COUNTRY>#<CITY>#<LAT>,<LON> 1...10 1...10 C&C Open Proxy Malicious Host Phishing Malware Domain Spamming Malware IP Scanning Host 64.44.240.225#4#3#Malicious Host#US#Chicago#41.9287986755,-87.6315002441 194.176.176.82#4#2#Spamming#RO#Bucharest#44.4333000183,26.1000003815 93.183.203.41#3#2#C&C;Malware Domain#UA#Kiev#50.4333000183,30.5167007446 64.141.101.204#1#2#Malware Domain#CA#Calgary#51.0833015442,-114.083297729 https://reputation.alienvault.com/reputation.data
Index 1. What is IP Reputation 2. Open Source IP Reputation Portal 3. How is the engine 3.1. Architecture design 3.1.1. Server 3.1.2. Agent 3.1.3. URL system 3.2. Scoring system 4. Feeding the engine
Architecture design Server Database Prefilter URL system Agent IPs/domains URLs Agent DATA IP reputation portal
Scoring system DNSBL + BULK DOMAINS + DYNAMIC IP DYNAMIC DNS + GOOGLE SAFE BROWSING + FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
Scoring system DNSBL + $ host 6.6.6.6.zen.spamhaus.org Host 6.6.6.6.zen.spamhaus.org not BULK DOMAINS + found: 3(NXDOMAIN) DYNAMIC IP $ host 2.0.0.127.zen.spamhaus.org 2.0.0.127.zen.spamhaus.org has DYNAMIC DNS + address 127.0.0.10 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 GOOGLE SAFE BROWSING + 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
Scoring system DNSBL + *.co.be BULK DOMAINS + *.co.cc *.co.com.au DYNAMIC IP *.co.tv *.com.ua DYNAMIC DNS + *.cu.cc GOOGLE SAFE BROWSING + *.cw.cm *.cx.cc FILE-SHARING IP - *.cz.cc ALEXA TOP ONE MILLION - *.cz.tf HEURISTIC DOMAIN +
Scoring system DNSBL + BULK DOMAINS + $ host 87.216.x.x DYNAMIC IP x.x.216.87.in-addr.arpa domain name pointer x.x.216.87.dynamic.jazztel.es. DYNAMIC DNS + GOOGLE SAFE BROWSING + FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
Scoring system DNSBL + BULK DOMAINS + *.ath.cx DYNAMIC IP *.dyndns.org DYNAMIC DNS + *.no-ip.biz *.no-ip.info GOOGLE SAFE BROWSING + *.no-ip.org FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
Scoring system DNSBL + BULK DOMAINS + DYNAMIC IP DYNAMIC DNS + GOOGLE SAFE BROWSING + FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
Scoring system DNSBL + BULK DOMAINS + DYNAMIC IP DYNAMIC DNS + GOOGLE SAFE BROWSING + FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
Scoring system DNSBL + BULK DOMAINS + 1, google.com DYNAMIC IP 2, facebook.com 3, youtube.com 4, yahoo.com DYNAMIC DNS + 5, baidu.com 6, wikipedia.org GOOGLE SAFE BROWSING + 7, live.com 8, blogspot.com 9, amazon.com FILE-SHARING IP - 10, twitter.com ... ALEXA TOP ONE MILLION - 999999, panciapiatta.net 1000000, acsysun.co.jp HEURISTIC DOMAIN +
Scoring system DNSBL + BULK DOMAINS + ypyfp.com.tw jlmjalzjk.gs ewdkddr.me DYNAMIC IP xzasuf.com.pt nnis.co.uk DYNAMIC DNS + qzlx.co.za tuxs.com.ua GOOGLE SAFE BROWSING + upwcbab.tw hkwytkey.pe uzabfgqfk.my FILE-SHARING IP - http://labs.alienvault.com/labs/ index.php/2012/detecting-malware- ALEXA TOP ONE MILLION - domains-by-syntax-heuristics/ HEURISTIC DOMAIN +
Index 1. What is IP Reputation 2. Open Source IP Reputation Portal 3. How is the engine 4. Feeding the engine 4.1. External sources 4.2. Our sandnet 4.3. AlienVault OTX 5. Current integrations
Getting data from external sources { Malware Trackers Malicious Hosts lists Open Proxy lists Scanning Hosts lists SPAM Trackers and more...
Our sandnet Samples Queue Sandbox Sandnet web panel Sandnet { } Database Traffic, rules trigger Traffic, no rules trigger No traffic! IP Reputation Database
AlienVault OTX is a system for sharing threat intelligence among OSSIM users and AlienVault customers. http://www.alienvault.com/alienvault-labs/open- threat-exchange/
Index 1. What is IP Reputation 2. What is the Open Source IP Reputation Portal 3. How is the engine 4. Feeding the engine 5. Current integrations 5.1. Integration in OSSIM 5.2. Other integrations
Integration in OSSIM OSSIM is an Open Source SIEM (Security Information Event Management). A comprehensive compilation of tools that work together to provide a detailed view over each and every aspect of your networks, hosts, physical access devices, server, etc. http://communities.alienvault.com/community A security event manager (SEM) (acronyms SIEM and SIM) is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software running on the network. http://en.wikipedia.org/wiki/Security_event_manager
{ fprobe, nfSen (flow collector and analyzer) Snort (IDS) + EmergingThreats ruleset OSSEC (HIDS) Nagios (service and infrastructure monitoring) OpenVAS, Nessus (vulnerability assessment) p0f, PADS, arpwatch (passive network monitoring) nmap (network scanning) OCS Inventory NG (host-based inventory) Wireshark, tcpdump (full packet capture) and more...
{ data collection with plugins: routers, firewalls, switches... load balancers, intrusion prevention systems honeypots, web proxies, web application firewalls ...
OSSIM architecture Find patterns Server Correlation engine Insert events Normalized data Sensors Database Detects new data DATA
Logic correlation if detected firewall or proxy event + and is an ACCEPT or HTTP code 200 OK event + and the destination IP has a low reputation = alarm <directive id="29001" name="Suspicious communication on SRC_IP" priority="5"> <rule type="detector" name="HTTP connection to low IP reputation destination" plugin_id="1503" plugin_sid="1" reliability="10" occurrence="1" from="HOME_NET" to="!HOME_NET" port_from="ANY" port_to="80,443" to_reputation="true" protocol="TCP"/> </directive>
Logic correlation
Other integrations Snort reputation format Iptables format Squid format Unix (hosts.deny) format More to come: shellscripts, configuration guides, nfSen plugin...
Future of the IP reputation Live scoring API Predictive IP reputation Extent to domain blocklist
Conclusions 1. Free to use IP Reputation database 2. Detailed information about the activity and history of every IP through the web portal 3. Continuously updated and maintained using different resources and improved with AlienVault OTX 4. Fully integrated in OSSIM, ready to be easily integrated with another systems
http://labs.alienvault.com Alberto Ortega Guillermo Grande a0rtega Guillermo aortega@alienvault.com ggrande@alienvault.com

Empfohlen

Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSECICANN
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name CollisionICANN
 
Defcon
DefconDefcon
DefconOpenDNS
 
Fast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSFast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSOpenDNS
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slideskj teoh
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 

Empfohlen

Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSECICANN
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name CollisionICANN
 
Defcon
DefconDefcon
DefconOpenDNS
 
Fast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSFast Detection of New Malicious Domains using DNS
Fast Detection of New Malicious Domains using DNSOpenDNS
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slideskj teoh
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsOpenDNS
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationAPNIC
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
4Developers: Dns vs webapp
4Developers: Dns vs webapp4Developers: Dns vs webapp
4Developers: Dns vs webappPROIDEA
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfsphanleson
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2phanleson
 
Dns
DnsDns
DnsARYA TM
 
Dns introduction
Dns introduction Dns introduction
Dns introduction sunil kumar
 
Tutorial 1
Tutorial 1Tutorial 1
Tutorial 1VIKAS_1705212
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption securityMen and Mice
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANEMen and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...
Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...
Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...RootedCON
 
Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]
Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]
Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]RootedCON
 

Weitere ähnliche Inhalte

Was ist angesagt?

Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationAPNIC
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
4Developers: Dns vs webapp
4Developers: Dns vs webapp4Developers: Dns vs webapp
4Developers: Dns vs webappPROIDEA
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfsphanleson
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2phanleson
 
Dns introduction
Dns introduction Dns introduction
Dns introduction sunil kumar
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingBeibei Yang
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption securityMen and Mice
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANEMen and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 

Was ist angesagt? (20)

Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentation
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
 
4Developers: Dns vs webapp
4Developers: Dns vs webapp4Developers: Dns vs webapp
4Developers: Dns vs webapp
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2
 
Dns
DnsDns
Dns
 
Dns introduction
Dns introduction Dns introduction
Dns introduction
 
Tutorial 1
Tutorial 1Tutorial 1
Tutorial 1
 
Class Project Showcase: DNS Spoofing
Class Project Showcase: DNS SpoofingClass Project Showcase: DNS Spoofing
Class Project Showcase: DNS Spoofing
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 

Andere mochten auch

Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...
Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...
Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...RootedCON
 
Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]
Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]
Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]RootedCON
 
Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]
Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]
Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]RootedCON
 
José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...
José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...
José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...RootedCON
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]RootedCON
 
Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]
Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]
Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]RootedCON
 
Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...
Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...
Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...RootedCON
 
Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]
Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]
Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]RootedCON
 
Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...
Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...
Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...RootedCON
 
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]RootedCON
 

Andere mochten auch (11)

Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...
Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...
Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...
 
Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]
Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]
Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]
 
Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]
Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]
Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]
 
José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...
José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...
José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...
 
Modulo 5
Modulo 5Modulo 5
Modulo 5
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
 
Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]
Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]
Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]
 
Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...
Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...
Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...
 
Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]
Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]
Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]
 
Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...
Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...
Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...
 
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
 

Ähnlich wie Build an IP Reputation Engine

Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivitySqrrl
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project PosterJoe Minieri
 
Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...
Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...
Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...mfrancis
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Docker, Inc.
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016Maarten Balliauw
 
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSJames Bromberger
 
MultiCloud Bursting from Openstack to Windows Azure and Amazon AWS with Righ...
MultiCloud Bursting from Openstack to Windows Azure and Amazon AWS with Righ... MultiCloud Bursting from Openstack to Windows Azure and Amazon AWS with Righ...
MultiCloud Bursting from Openstack to Windows Azure and Amazon AWS with Righ...bn-cloud
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksNitesh Shilpkar
 
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...Codemotion
 

Ähnlich wie Build an IP Reputation Engine (20)

Leveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker ActivityLeveraging DNS to Surface Attacker Activity
Leveraging DNS to Surface Attacker Activity
 
Minieri CS6262 Project Poster
Minieri CS6262 Project PosterMinieri CS6262 Project Poster
Minieri CS6262 Project Poster
 
Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...
Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...
Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Dns and Dnssec
Dns and DnssecDns and Dnssec
Dns and Dnssec
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
 
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
 
AWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNSAWS User Group - Perth - April 2021 - DNS
AWS User Group - Perth - April 2021 - DNS
 
MultiCloud Bursting from Openstack to Windows Azure and Amazon AWS with Righ...
MultiCloud Bursting from Openstack to Windows Azure and Amazon AWS with Righ... MultiCloud Bursting from Openstack to Windows Azure and Amazon AWS with Righ...
MultiCloud Bursting from Openstack to Windows Azure and Amazon AWS with Righ...
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacks
 
TIAD : Automating the modern datacenter
TIAD : Automating the modern datacenterTIAD : Automating the modern datacenter
TIAD : Automating the modern datacenter
 
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
Cyber-crime and attacks in the dark side of the web - Marco Balduzzi - Codemo...
 

Mehr von RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

Mehr von RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Kürzlich hochgeladen

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Kürzlich hochgeladen (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Build an IP Reputation Engine

  • 1. Building an IP Reputation engine Tracking the miscreants
  • 2. Index 1. What is IP Reputation 2. Open Source IP Reputation Portal 3. How is the engine 4. Feeding the engine 5. Current integrations
  • 3. Index 1. What is IP Reputation 1.1. The problem 1.2. What is IP Reputation? 1.3. What is an IP Reputation engine? 1.4. Features of an IP Reputation engine 2. Open Source IP Reputation Portal 3. How is the engine 4. Feeding the engine 5. Current integrations
  • 4. The problem Security analyst: “How many of my network connections are going to bad sites?”
  • 5. What is IP Reputation? IP Reputation is a summary of the past behavior activity detected on an IP An IP with reputation information add context when a network connection is observed
  • 6. What is an IP Reputation engine? An IP Reputation engine is a system to classify and score large sets of IPs, in low or high reputation
  • 7. Features of an IP Reputation engine Updated information Accurate values associated to every IP Assign activity classification to every IP Range of detection
  • 8. Index 1. What is IP Reputation 2. Open Source IP Reputation Portal 3. How is the engine 4. Feeding the engine 5. Current integrations
  • 9. Open Source IP Reputation Portal http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/
  • 10. A register in the reputation.data file: <IP>#<RELIABILITY>#<RISK>#<ACTIVITY>#<COUNTRY>#<CITY>#<LAT>,<LON> 1...10 1...10 C&C Open Proxy Malicious Host Phishing Malware Domain Spamming Malware IP Scanning Host 64.44.240.225#4#3#Malicious Host#US#Chicago#41.9287986755,-87.6315002441 194.176.176.82#4#2#Spamming#RO#Bucharest#44.4333000183,26.1000003815 93.183.203.41#3#2#C&C;Malware Domain#UA#Kiev#50.4333000183,30.5167007446 64.141.101.204#1#2#Malware Domain#CA#Calgary#51.0833015442,-114.083297729 https://reputation.alienvault.com/reputation.data
  • 11. Index 1. What is IP Reputation 2. Open Source IP Reputation Portal 3. How is the engine 3.1. Architecture design 3.1.1. Server 3.1.2. Agent 3.1.3. URL system 3.2. Scoring system 4. Feeding the engine
  • 12. Architecture design Server Database Prefilter URL system Agent IPs/domains URLs Agent DATA IP reputation portal
  • 13. Scoring system DNSBL + BULK DOMAINS + DYNAMIC IP DYNAMIC DNS + GOOGLE SAFE BROWSING + FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
  • 14. Scoring system DNSBL + $ host 6.6.6.6.zen.spamhaus.org Host 6.6.6.6.zen.spamhaus.org not BULK DOMAINS + found: 3(NXDOMAIN) DYNAMIC IP $ host 2.0.0.127.zen.spamhaus.org 2.0.0.127.zen.spamhaus.org has DYNAMIC DNS + address 127.0.0.10 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 GOOGLE SAFE BROWSING + 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
  • 15. Scoring system DNSBL + *.co.be BULK DOMAINS + *.co.cc *.co.com.au DYNAMIC IP *.co.tv *.com.ua DYNAMIC DNS + *.cu.cc GOOGLE SAFE BROWSING + *.cw.cm *.cx.cc FILE-SHARING IP - *.cz.cc ALEXA TOP ONE MILLION - *.cz.tf HEURISTIC DOMAIN +
  • 16. Scoring system DNSBL + BULK DOMAINS + $ host 87.216.x.x DYNAMIC IP x.x.216.87.in-addr.arpa domain name pointer x.x.216.87.dynamic.jazztel.es. DYNAMIC DNS + GOOGLE SAFE BROWSING + FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
  • 17. Scoring system DNSBL + BULK DOMAINS + *.ath.cx DYNAMIC IP *.dyndns.org DYNAMIC DNS + *.no-ip.biz *.no-ip.info GOOGLE SAFE BROWSING + *.no-ip.org FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
  • 18. Scoring system DNSBL + BULK DOMAINS + DYNAMIC IP DYNAMIC DNS + GOOGLE SAFE BROWSING + FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
  • 19. Scoring system DNSBL + BULK DOMAINS + DYNAMIC IP DYNAMIC DNS + GOOGLE SAFE BROWSING + FILE-SHARING IP - ALEXA TOP ONE MILLION - HEURISTIC DOMAIN +
  • 20. Scoring system DNSBL + BULK DOMAINS + 1, google.com DYNAMIC IP 2, facebook.com 3, youtube.com 4, yahoo.com DYNAMIC DNS + 5, baidu.com 6, wikipedia.org GOOGLE SAFE BROWSING + 7, live.com 8, blogspot.com 9, amazon.com FILE-SHARING IP - 10, twitter.com ... ALEXA TOP ONE MILLION - 999999, panciapiatta.net 1000000, acsysun.co.jp HEURISTIC DOMAIN +
  • 21. Scoring system DNSBL + BULK DOMAINS + ypyfp.com.tw jlmjalzjk.gs ewdkddr.me DYNAMIC IP xzasuf.com.pt nnis.co.uk DYNAMIC DNS + qzlx.co.za tuxs.com.ua GOOGLE SAFE BROWSING + upwcbab.tw hkwytkey.pe uzabfgqfk.my FILE-SHARING IP - http://labs.alienvault.com/labs/ index.php/2012/detecting-malware- ALEXA TOP ONE MILLION - domains-by-syntax-heuristics/ HEURISTIC DOMAIN +
  • 22. Index 1. What is IP Reputation 2. Open Source IP Reputation Portal 3. How is the engine 4. Feeding the engine 4.1. External sources 4.2. Our sandnet 4.3. AlienVault OTX 5. Current integrations
  • 23. Getting data from external sources { Malware Trackers Malicious Hosts lists Open Proxy lists Scanning Hosts lists SPAM Trackers and more...
  • 24. Our sandnet Samples Queue Sandbox Sandnet web panel Sandnet { } Database Traffic, rules trigger Traffic, no rules trigger No traffic! IP Reputation Database
  • 25. AlienVault OTX is a system for sharing threat intelligence among OSSIM users and AlienVault customers. http://www.alienvault.com/alienvault-labs/open- threat-exchange/
  • 26.
  • 27.
  • 28. Index 1. What is IP Reputation 2. What is the Open Source IP Reputation Portal 3. How is the engine 4. Feeding the engine 5. Current integrations 5.1. Integration in OSSIM 5.2. Other integrations
  • 29. Integration in OSSIM OSSIM is an Open Source SIEM (Security Information Event Management). A comprehensive compilation of tools that work together to provide a detailed view over each and every aspect of your networks, hosts, physical access devices, server, etc. http://communities.alienvault.com/community A security event manager (SEM) (acronyms SIEM and SIM) is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software running on the network. http://en.wikipedia.org/wiki/Security_event_manager
  • 30. { fprobe, nfSen (flow collector and analyzer) Snort (IDS) + EmergingThreats ruleset OSSEC (HIDS) Nagios (service and infrastructure monitoring) OpenVAS, Nessus (vulnerability assessment) p0f, PADS, arpwatch (passive network monitoring) nmap (network scanning) OCS Inventory NG (host-based inventory) Wireshark, tcpdump (full packet capture) and more...
  • 31. { data collection with plugins: routers, firewalls, switches... load balancers, intrusion prevention systems honeypots, web proxies, web application firewalls ...
  • 32. OSSIM architecture Find patterns Server Correlation engine Insert events Normalized data Sensors Database Detects new data DATA
  • 33. Logic correlation if detected firewall or proxy event + and is an ACCEPT or HTTP code 200 OK event + and the destination IP has a low reputation = alarm <directive id="29001" name="Suspicious communication on SRC_IP" priority="5"> <rule type="detector" name="HTTP connection to low IP reputation destination" plugin_id="1503" plugin_sid="1" reliability="10" occurrence="1" from="HOME_NET" to="!HOME_NET" port_from="ANY" port_to="80,443" to_reputation="true" protocol="TCP"/> </directive>
  • 35. Other integrations Snort reputation format Iptables format Squid format Unix (hosts.deny) format More to come: shellscripts, configuration guides, nfSen plugin...
  • 36. Future of the IP reputation Live scoring API Predictive IP reputation Extent to domain blocklist
  • 37. Conclusions 1. Free to use IP Reputation database 2. Detailed information about the activity and history of every IP through the web portal 3. Continuously updated and maintained using different resources and improved with AlienVault OTX 4. Fully integrated in OSSIM, ready to be easily integrated with another systems
  • 38. http://labs.alienvault.com Alberto Ortega Guillermo Grande a0rtega Guillermo aortega@alienvault.com ggrande@alienvault.com