Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attack Registry And Intelligence Service

Posted by CmdrTaco on from the something-smelly-in-your-logs dept.

thelaw writes: "SecurityFocus just announced the start of their new service, ARIS (Attack Registry and Intelligence Service) Analyzer. The service allows you to submit logs from several different intrusion detection systems automatically and quasi-anonymously. Looking at the front page, they seem to have over 700,000 incidents already reported since starting."

4 of 73 comments (clear)

  1. Change the URL to point to port 23 by Decado · · Score: 5

    And I'll bet they can clear 1,000,000 attacks before the day is out.

    --

    Slashdot: Proof that a million monkeys at a million typewriters can create a masterpiece

  2. Potential problem by ChazeFroy · · Score: 5

    This centralized service for reporting will lead to some falsified logs being submitted to get somebody in trouble. I hope people use this service, but I also hope they take it with a grain of salt.

  3. Anonymous? by cavemanf16 · · Score: 5
    Well, the US sure seems to be getting bombarded. I didn't know there were that many political attackers and script kiddie crackers out there. Maybe this will show some US companies just how big a deal security (including protecting the info they always collect on me) really is.

    And my bit of paranoia for the day:
    Why do they keep saying how 'secure and private' the log files you send them are? Can't they just trace the IP that sent the log right back to the company and/or individual who owns the IP (unless of course it's a dynamic IP being assigned)? Not that they would want to do so, but let's just stop advertising privacy. There is no privacy on the net. It's like streaking thru a crowded marketplace; not many people notice, but those that do get to see the whole deal.

  4. Re:What am I missing? by ryanr · · Score: 5

    First, what the heck is the definition of an "incident"?

    Actually, that's done on a per IDS entry basis. We take each attack description that comes out of each IDS, and correlate those all to a central attack description of our own creation. Then, for each of those, we make a judgement call on whether it is something that should be reported or not. The majority of reports we get are classified as event or probes, things you should't report on. They aren't attacks in and of themselves. There are other attempts that, were the victim vulnerable to what was being checked for, they would just have been penetrated. Those we classify as incidents.

    If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000?

    It depends how your IDS groups them. We get our information from the IDS logs. Many IDS systems can treat that sort of thing as a collective event.

    How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus?

    That's the reason we provide an anonymous upload capability, and the upload tool is open-source. You can check yourself exactly what is being sent.

    What does this service do for us?

    A took a short at proving that bit of info here:
    http://slashdot.org/comments.pl?sid=01/03/26/16312 41&cid=92