Distributed Blocking and Feedback

Similar and complimentary to IpReputation. SnortSam is a prime example. Field tests a couple years ago showed that large and small organizations sharing information about attackers to make realtime blocks possible was extremely useful. But the scale of blocks and lack of extra information to allow local block decisions to be adjusted made it eventually risky.

I would like to see a scaled up snortsam client be an integral part of this engine. The engine itself could do the actual blocking by using a more effective IP matching algorithm such as ip hash tables.

This should be built so that the engine can connect and interact with multiple feeds/hubs. Partner organizations could link together, as well as public hubs be available. Commercial feeds would be a very viable option for reliable data sources.

Challenges:

Sheer volume of information. Need a bandwidth and cpu efficient way to receive and push

Needs a centralized hub that can handle the volume and do a great deal of data massaging, as well as replay blocks a client misses due to connectivity, etc.

-- MattJonkman - 17 Oct 2008