is the Emerging Threats Data Sharing Tool that allows users to report anonymously their local IDS/IPS event data. In return you will (soon) get an analysis of how your events compare to the whole, what you're missing, what trends are showing globally, and what you can do to tune your rulesets.
All data is reported in a non-source identifiable way using PGP to encrypt in transit. So your data can only be decrypted by you or the Emerging Threats data correlation process.
We are currently Beta Testing the SidReporter
perl collector. You can download the current version of the SidReporter
CVS access is available here for the most up to date version:
Instructions for installing SidReporter
and some notes on the best way to get GnuPG?
running are available here:
Exactly what SidReporter
reports is made clear by looking at the format of an event report (which you can review before SidReporter
sends it out if you like):
A sample report line:
Event type (Default=Snort, but in case we begin to bring in other types of data)
Weight Value to increase or decrease ranking of event (default=-1; fp have are <0; tp are >0). This will be used when we give SIM's the ability to rate events.
Type of ranking (default=1) Future use
Generator ID if applicable
SID Rev if appropriate
Time in UTC of event occurrence (default: submission time)
PROTO: 6 for TCP, 17 for UDP, 1 for ICMP, 47 for GRE, etc. See http://www.iana.org/assignments/protocol-numbers
SRC ip int: Src ip address in the event
Is the Source IP Obfuscated (0/1)
Is the Destination IP Obfuscated (0/1)
Is the Source or Destination Bad? (For later when the SIM can feed info back from the analyst)
That's it, this is all that's reported. You can choose in the sidreporter.conf to obfuscate your internal and external IP ranges.
- 04 Aug 2008