[Snort-users] building a local IP reputation

김무성 kimms at ...14610...
Tue Jul 26 03:38:06 EDT 2011

Hello list.

I'm researching about building a local IP reputation for our product(IDS).
There are few factor for building reputation.

Risk rate, False positive rate, global IP reputation, rule's lifecycle

Example) Risk rate is from 1 to 5. 5 is very risk.
            False positive rate from 1 to 5. 5 means that there is no FP.
            So, 5x5 = IP reputation is very bad.

In addition, global IP reputation (from Symantec or McAfee, etc) and rule's lifecycle help scoring.

Example) if above log has a bad IP reputation and in the lifecycle, this must be a real attack.

Are there any other factors which help to calculate reputation score? (in the field of network-based signature)
Or material, article

More information about the Snort-users mailing list