[Dshield] Central Reporting Systems - a comment

Johannes Ullrich jullrich at sans.org
Fri Jul 26 01:11:51 GMT 2002

I think you did line out the main points for center reporting
sites (Distributed Intrusion Detection / Correlation).

1. Spotting new trends
2. validating results (for better notification).

However, I think DShield.org should strive to become more.
We have done excellent early detection in the past. Partially
because we don't use signatures and also, because we do get
feedback from people we notify.

However, I like to look beyond the horizon. In particular
if you look at the Internet Storm Center site, I hope to
build DShield into a 'colaborative' intrusion detection system.

The difference is, that while now we collect data from distributed
source, a collaborative system will allow everyone to 'mine' the
data and help to look for new trends. Posts like 'I see a lot
of port x' are helpful in that respect. And Blakes comments about
setting up honeypots or better capturing are well noted. 

There is a lot to come. I hope one of these days, we will not
talk about how long after the initial detect we can call a
'storm', but how far in advance we can predict it.

jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org

More information about the list mailing list