[Snort-devel] building a local IP reputation
kimms at ...3084...
Tue Jul 26 03:38:06 EDT 2011
I'm researching about building a local IP reputation for our product(IDS).
There are few factor for building reputation.
Risk rate, False positive rate, global IP reputation, rule's lifecycle
Example) Risk rate is from 1 to 5. 5 is very risk.
False positive rate from 1 to 5. 5 means that there is no FP.
So, 5x5 = IP reputation is very bad.
In addition, global IP reputation (from Symantec or McAfee, etc) and rule's lifecycle help scoring.
Example) if above log has a bad IP reputation and in the lifecycle, this must be a real attack.
Are there any other factors which help to calculate reputation score? (in the field of network-based signature)
Or material, article
More information about the Snort-devel