Thursday, January 5, 2012

Automated open source intelligence utilities

In my last post I talked about how you can use open source intelligence information to prioritize your alerts. And I think it could be interesting to make a short comparison between the two utilities I mentioned: ArcOSI and EnigmaIndicators.

As said before, the general idea in both utilities is the same:
  1. Scrapes different open sources intelligence sites for known malware information as IPs, domains, urls, MD5 files hashes, email addresses, etc.
  2. For each entry, create an CEF event with the source and type of intelligence and the threat information.
  3. Send it via Syslog to a defined destination.
Both utilities are designed for a easy integration with ArcSight, using CEF, so no parser is needed.

And in both you can defined your own sources of information and whitelist specific entries.

The main different i can see are shown in the table below:

ArcOSI
(http://code.google.com/p/arcosi/)		EnigmaIndicators
http://enigmaindicators.codeplex.com/
Scripting language used      PythonBash
(dependencies - bash, cut, grep, zgrep, sed, awk, curl, wget, sort, perl and *nix /dev/udp and/or tcp socket)
Types / number of reputation sources
  1. IP / 7
  2. Domain / 7
  1. IP / 49
  2. Domain / 35
  3. Web requested URL / 8
  4. URL file name / 8
  5. User agent string /  2
  6. Email address sender / 1
  7. Email subject / 1
  8. Suspicious files /4
  9. News feed / 1
  10. MD5 file hash / 7
Entropy calculation      N/AEnigma calculates entropy (measures the randomness of possible outcome) against the relevant data it parses for advance heuristics detection

Do you know of any other interesting open source intelligence utility?
Posted by at No comments:
Labels: , , ,

Prioritizing alerts using automated open source intelligence

After a very busy 2011, I'm starting 2012 with a new year's resolution: "To write posts more often". And here is the first one...

Lately I've been working in how to enhance the data using open source intelligence information. And I'm amazed how much value you can get from it.

The idea is to use reputation information from public sources and correlate it with your internal events in order to prioritize alerts. For example, in IDS/IPS alerts, you can correlate the external IPs in the IDS signatures against a list of known Malware IPs and increase the priority of if you get a match. Of course you can extend this to domain names, urls, etc. and also to different log sources as firewalls, proxies and so on.
Read more »
Posted by at 3 comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)