![]() Extending this to include the DNS records obtained from OTX was simply a matter of defining a new RPZ in BIND. This feed is parsed and currently split into two files: One RPZ file containing hostnames and domains for use with BIND, and one file containing IP addresses for use with SiLK.Īs explained in an earlier post, OSSEC will let me know if someone (or something) makes DNS requests for a domain or hostname registered as malicious. By selecting which pulses and/or users to subscribe to, the registered information in each pulse will be available through a feed from their API.Ĭarefully reviewing which users/pulses to subscribe to – there’s always a risk of false positives – I’m now regularly receiving an updated feed. For example, a pulse can contain URLs to a site spreading drive-by malware, the IP addresses of their C&C, along with hashes of the files. The information is divided into so-called pulses, each pulse a set of information items considered part of the same malicious activity. OTX is based on registered users sharing security information, for instance domains and hostnames involved in phishing scams, IP addresses performing brute force SSH login attempts, etc. ![]() They also provide a platform for sharing threat intelligence, namely Open Threat Exchange (OTX). Adding an information feed like AlienVault OTX (Open Threat Exchange) to the mix further extends the awareness and detection capabilities.ĪlienVault is probably most known for their SIEM (Security Information and Event Management) named Unified Security Management™, with a scaled-down open source version named Open Source Security Information and Event Management (OSSIM). ![]() I’ve already described how to use lists of malicious domain names in a BIND RPZ ( Response Policy Zone). Shared information about malicious behaviour allows you to detect and sometimes prevent activity from – and to – Internet resources that could compromise your systems’ security. Building a toolbox around threat intelligence can be done with freely available tools. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |