Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attack Registry And Intelligence Service

Posted by CmdrTaco on from the something-smelly-in-your-logs dept.

thelaw writes: "SecurityFocus just announced the start of their new service, ARIS (Attack Registry and Intelligence Service) Analyzer. The service allows you to submit logs from several different intrusion detection systems automatically and quasi-anonymously. Looking at the front page, they seem to have over 700,000 incidents already reported since starting."

6 of 73 comments (clear)

  1. Change the URL to point to port 23 by Decado · · Score: 5

    And I'll bet they can clear 1,000,000 attacks before the day is out.

    --

    Slashdot: Proof that a million monkeys at a million typewriters can create a masterpiece

  2. Potential problem by ChazeFroy · · Score: 5

    This centralized service for reporting will lead to some falsified logs being submitted to get somebody in trouble. I hope people use this service, but I also hope they take it with a grain of salt.

  3. Anonymous? by cavemanf16 · · Score: 5
    Well, the US sure seems to be getting bombarded. I didn't know there were that many political attackers and script kiddie crackers out there. Maybe this will show some US companies just how big a deal security (including protecting the info they always collect on me) really is.

    And my bit of paranoia for the day:
    Why do they keep saying how 'secure and private' the log files you send them are? Can't they just trace the IP that sent the log right back to the company and/or individual who owns the IP (unless of course it's a dynamic IP being assigned)? Not that they would want to do so, but let's just stop advertising privacy. There is no privacy on the net. It's like streaking thru a crowded marketplace; not many people notice, but those that do get to see the whole deal.

  4. Am I the only one who missed the point? by GodHead · · Score: 4

    I must have missed something.

    I'm not trying to troll or anything but other than the "Cool" factor what does this service do? How is knowing the most common attack types going to help me? The common ones are already patched by clued-in admins. I mean did you see the common attack list? If you're open to SNMP GET you have problems.

    Are they going to try and find new attacks with the data or something?

    G.H.

    --
    Just wait till some crappy band steals your nic.
  5. An Intrusion database a'la ORBS? by Anonymous Coward · · Score: 4

    This service has two sides:
    The bright side is that it will bring stats of intrussion attempts. This is particularly interesting, because you can learn wha't going around and take measures before it's too late.

    The dark side is that I see a forthcomming IASD (Intrussion Attempt source database) available online, so many ppl will start banning IP's "Just in case".

    I do not like ORBS, I feel it's not usefull because of the tendence of give false positives.
    As an example, we use a very strict mail relay policy, and every week I get the ORBS tester machines sending mails that end up in postmaster because of their lack of valid rcpt addressess.
    Every time is because some ignorant saw SPAM w/bogus reply addresses in some of our domains and thinks that the spam was actually sent from one of our SMTP servers (false, all tend to came from yah00 or h0tmail or some server in korea, who cares).

    Imagine a script kiddie who, instead of deleting it's path in the victim's logfile, now replaces it's IP w/someone else's IP address.

    Who audits the victim's security policy? Who gives for grant that the supposed victim is honest?

    This is very, very difficult to prove.

  6. Re:What am I missing? by ryanr · · Score: 5

    First, what the heck is the definition of an "incident"?

    Actually, that's done on a per IDS entry basis. We take each attack description that comes out of each IDS, and correlate those all to a central attack description of our own creation. Then, for each of those, we make a judgement call on whether it is something that should be reported or not. The majority of reports we get are classified as event or probes, things you should't report on. They aren't attacks in and of themselves. There are other attempts that, were the victim vulnerable to what was being checked for, they would just have been penetrated. Those we classify as incidents.

    If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000?

    It depends how your IDS groups them. We get our information from the IDS logs. Many IDS systems can treat that sort of thing as a collective event.

    How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus?

    That's the reason we provide an anonymous upload capability, and the upload tool is open-source. You can check yourself exactly what is being sent.

    What does this service do for us?

    A took a short at proving that bit of info here:
    http://slashdot.org/comments.pl?sid=01/03/26/16312 41&cid=92