On 12/17/2009 03:30 PM, Marc Perkel wrote:
Then the third filed is NONE. That's how I do it. But the idea is that
any kind of daya can be collectively gathered and distributed.
Instead of a TCP channel (which means software), what about using DNS?
If the SA clients did RBL lookups that contained the details as part of
the query, then if your end parses DNS logs (I'm thinking djbdns, don't
know about BIND), then you could extract the data yourself.
You could even introduce a token into the RBL to stop the bad guys
corrupting your corpus (a problem you'll have to deal with anyway
whatever the network mechanism).
e.g. (token == "834ufg754")
spam.1.2.3.4.834ufg754.newrbl.com
ham.5.6.7.8.834ufg754.newrbl.com
ie only the dns logs that contain valid tokens are legitimate
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
