I saw TrustedSource and tried it with adsense filtered urls. Most of the time, it classified them as neutral though these urls are known to install spyware/malwares. now think of an IDS that scans packet based on its reputation which is taken from TrustedSource and yo will have many false negatives.
On Wed, Nov 26, 2008 at 9:30 PM, Bourque Daniel <[EMAIL PROTECTED]> wrote: > Look at TrustedSource > > http://www.trustedsource.org/ > > -----Message d'origine----- > De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Tremaine Lea > Envoyé : 25 novembre 2008 20:32 > À : Sanjay R > Cc : Gautam Singaraju; [email protected] > Objet : Re: Email reputation for inout to IDSs? > > Hi Sanjay, > > Conversely to your point, IP addresses/email addresses that have poor > reputations due to being a source of UCE/UBE go under heightened > scrutiny or may be blocked based on the implementers policy/preference > for other protocols. > > There are a few IPS/IDS solutions out there utilizing email reputation > as part of their solutions, and they primarily get their strength from a > centralized managed db on the part of the vendor supplying the solution. > > Cheers, > > --- > > Tremaine Lea > Network Security Consultant > Intrepid ACL > Paranoia for hire > > The best way to find out if you can trust somebody is to trust them. - > Ernest Hemingway > On Tue, 2008-11-25 at 21:09 +0530, Sanjay R wrote: >> Hi Gautam: >> My general feeling towards the reputation system is "It is not a >> security mechanism" and it should be proven either by me or by someone >> else in more formal words/way. >> now let us take the scenario that you posed. each email has a >> reputaion value associated with it (magically!!) and IDS should scan >> it based on its reputaion value (in this way, we are anyway defeating >> the very purpose of having IDS). First thing is " what are parameters >> to be used in calculating reputaion?" Another thing is: You must be >> knowing that a virus/worm spread quite randomly (loosly speaking) and >> many emails infacted by a new virus will be having high reputaion >> values and therefore, bypass the IDS ( a case of false negative). >> Let me know if you are not convinced or I have missed something in your >> views. >> -sanjay >> >> On Tue, Nov 25, 2008 at 12:14 AM, Gautam Singaraju >> <[EMAIL PROTECTED]> wrote: >> > Sanjay, >> > >> > FYI: >> > http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1271716,00.html >> > >> > --- >> > Gautam >> > >> > >> > >> > On Mon, Nov 24, 2008 at 1:24 PM, Gautam Singaraju >> > <[EMAIL PROTECTED]> wrote: >> >> Hi Sanjay, >> >> >> >> I have a hearsay that some commercial products are in fact attempting >> >> this. I understand that inputs from IDSs are being used to 'refine' >> >> email reputation and vice-versa; though I have not seen any numbers >> >> that attempt these. >> >> >> >> The idea is that: IDSs can monitor connections from those senders >> >> closely depending on the reputation (reputation 80 to 100: basic >> >> checks; 50-80 moderate checks; less than 50 extensive checks). The >> >> number of classes and boundaries could be variable. In comparison, >> >> blacklist is just "good/bad". >> >> >> >> I want to test this theory that email reputation could be useful in >> >> more mechanisms that just classifying emails. >> >> --- >> >> Gautam >> >> >> >> >> >> >> >> On Mon, Nov 24, 2008 at 1:10 PM, Sanjay R <[EMAIL PROTECTED]> wrote: >> >>> Hi Gautam, >> >>> Can you please mention those references that have tried to incorporate >> >>> email reputation systems into an IDS? To me, it appears that this type >> >>> of solutions are more close to creating a "black-list" rather than >> >>> core functionality of IDS i.e detecting an attack (malicious >> >>> activities). >> >>> >> >>> -sanjay >> >>> >> >>> On Sun, Nov 23, 2008 at 6:51 AM, Gautam Singaraju >> >>> <[EMAIL PROTECTED]> wrote: >> >>>> All, >> >>>> >> >>>> I have been working in email reputation system that has computed >> >>>> sender reputations for over an year. I believe that there are couple >> >>>> of efforts to incorporate email reputations into IDSs. Is someone in >> >>>> the group working on this? Are there any IDSs which can be configured >> >>>> to perform extensive analysis for non-reputable senders? I would be >> >>>> interested in sharing this data with other researchers in the group. >> >>>> >> >>>> --- >> >>>> Gautam >> >>>> >> >>>> ------------------------------------------------------------------------ >> >>>> Test Your IDS >> >>>> >> >>>> Is your IDS deployed correctly? >> >>>> Find out quickly and easily by testing it >> >>>> with real-world attacks from CORE IMPACT. >> >>>> Go to >> >>>> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw >> >>>> to learn more. >> >>>> ------------------------------------------------------------------------ >> >>>> >> >>>> >> >>> >> >>> >> >>> >> >>> -- >> >>> Computer Security Learner >> >>> >> >> >> > >> >> >> > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > > Mise en garde concernant la confidentialité : Le présent message, comprenant > tout fichier qui y est joint, est envoyé à l'intention exclusive de son > destinataire; il est de nature confidentielle et peut constituer une > information protégée par le secret professionnel. Si vous n'êtes pas le > destinataire, nous vous avisons que toute impression, copie, distribution ou > autre utilisation de ce message est strictement interdite. Si vous avez reçu > ce courriel par erreur, veuillez en aviser immédiatement l'expéditeur par > retour de courriel et supprimer le courriel. Merci! > > Confidentiality Warning: This message, including any attachment, is sent only > for the use of the intended recipient; it is confidential and may constitute > privileged information. If you are not the intended recipient, you are hereby > notified that any printing, copying, distribution or other use of this > message is strictly prohibited. If you have received this email in error, > please notify the sender immediately by return email, and delete it. Thank > you! > > -- Computer Security Learner ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
