[Dshield] using the feeds for your firewall
Johannes B. Ullrich
jullrich at euclidian.com
Sat Jul 28 04:30:00 GMT 2001
> Essentially, what are people using of the feeds to block firewalls?
Thats actually a very good question. One of the initial intents of
DShield was to build such blacklists for firewalls. There has been
enough going on so it fell somewhat by the wayside. I also got a lot
of negative comments for that idea, as it would be possible to blacklist
someone inocent using spoofed sources.
One thing I could think off is a more filtered 'top 100' list. These
would only include hosts that meet certain criteria. Let me throw out
- only authenticated reports will be considered.
- an IP has to show up in multiple authors reports.
- the report has to be recent (5 days ?)
Any ideas? Other options would be to come up with different lists based
on the nature of the target you try to protect.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
More information about the list