[Dshield] using the feeds for your firewall

Johannes B. Ullrich jullrich at euclidian.com
Sat Jul 28 04:30:00 GMT 2001


> Essentially, what are people using of the feeds to block firewalls?

Thats actually a very good question. One of the initial intents of
DShield was to build such blacklists for firewalls. There has been
enough going on so it fell somewhat by the wayside. I also got a lot
of negative comments for that idea, as it would be possible to blacklist
someone inocent using spoofed sources.

One thing I could think off is a more filtered 'top 100' list. These
would only include hosts that meet certain criteria. Let me throw out
some:

- only authenticated reports will be considered.
- an IP has to show up in multiple authors reports.
- the report has to be recent (5 days ?)

Any ideas? Other options would be to come up with different lists based
on the nature of the target you try to protect.

-- 
-------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System





More information about the list mailing list