[Dshield] DShield vs. Symantec: new features?

Erwin Van de Velde erwin.vandevelde at ua.ac.be
Thu Jan 8 13:58:50 GMT 2004


Talking about new features...
I'm writing a central logging system for security applications, which will run 
in a LAN. This is my master thesis by the way :-)
One of the features that would be really handy is the following:
Assume a large scale attack is launched (new virus like blaster or slammer), 
wouldn't it be great if the local security system could be automatically 
warned?
I was thinking of the following: a structured file on the DShield server (XML 
for instance) that normally would be empty (except for the start and end tags 
of course :-) ), but that would contain a list of ports and little 
explanations of the hazards on those ports, when a serious threat is 
discovered (and the infocon is raised to yellow/orange/red).
Now, as far as I can see, the sysadmin has to read the page and adapt the 
firewalls himself, because there is no way to parse such data automatically. 
(Infocon is a picture, the daily messages about exploits and such are plain 
text).
This way, a LAN would be protected against such severe attacks, even when the 
sysadmin is sleeping or on a holiday.

For now, I try to detect attacks and then start automatically a containment 
procedure (closing the firewall for certain IP addresses, blocking internal 
IP's of infected systems, closing ports that are attacked by a large number 
of IP's, ...) This is quite fun, but it would be much better if the LAN does 
not have to get 'sick' before the system can do something.


Greetings,

Erwin Van de Velde
Student of University of Antwerp,
Belgium




More information about the list mailing list