Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


[Dshieldannounce] DShield / ISC Research Feed
.

  • To: [EMAIL PROTECTED]
  • Subject: [Dshieldannounce] DShield / ISC Research Feed
  • From: "Johannes B. Ullrich" <[EMAIL PROTECTED]>
  • Date: Fri, 16 Jan 2004 20:53:42 -0500
  • Old-received: (qmail 12134 invoked from network); 17 Jan 2004 01:53:52 -0000
  • Old-received: from mail.euclidian.com (68.166.125.210) by 0 with SMTP; 17 Jan 2004 01:53:52 -0000
  • Old-received: (qmail 13258 invoked from network); 17 Jan 2004 01:53:52 -0000
  • Old-received: from (HELO bartdocked.lan) () by 0 with SMTP; 17 Jan 2004 01:53:52 -0000
  • Old-x-envelope-to: [EMAIL PROTECTED]
  • Organization: SANS Institute - Internet Storm Center
  • Reply-to: [EMAIL PROTECTED]
  • Sender: [EMAIL PROTECTED]
.
 
[please use the discussion list or off-list email to reply]

From time to time, I am getting requests from researchers for access to
DShield data. While DShield data, with the exception of data that
could be used to identify submitters, is essentially "public", it has
been very time consuming to fulfill these requests. On the other hand,
I think it would be a waste not to share the data we collect more 
widely. For example, I have pointed to Vinod's papers in the past,
which have been very useful.

In particular to look at historic data more comprehensively, I would
like to solicit some outside help.

In order to help with this, I would like to start a discussion about
how to accomplish this best. I would like to establish a 'DShield/ISC
Research Feed'. Interested researchers can use this feed for their
research. In order to reduce load on our systems, I would hope that one
participant will establish a 'proxy', which others can use to pull the
data from.

A couple of objectives:
- The feed should provide as much information as possible, without 
  revealing submitter information. I would suggest that the target IP
  is encrypted (e.g. some form of md5hash). This way, the recipient
  will still be able to count distinct targets, which is an important
  number.
- Same for the userid: if the userid is included at all, it is 
  encrypted. Again, it is very useful to see if suspicious data is
  submitted by a particular user, or to observe how data for a
  particular user changed over time.
- All the other data would be sent 'as is'.

If there are any objections to this approach, please note so on our
public discussion list ([EMAIL PROTECTED])

If you are interested in this research feed, or if you would like to
provide resources for it, please contact me off list.

DShield data will be made available free of charge for non-commercial
research. All results have to be made available to the public and
DShield or the Internet Storm Center have to be credited for the
data. If some research is particularly resource intensive, it may
be appropriate to contribute respective resources (hardware, time,
bandwidth) to the project.

As resources for this are limited, there may be a selection based
on the merit of the proposed analysis. I hope to establish a group
of reviewers if this should become necessary (at this point, its
the 'squeeky wheel' principle...)

-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          [EMAIL PROTECTED] 

contact details: http://johannes.homepc.org/contact.htm

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Dshieldannounce mailing list
[EMAIL PROTECTED]
http://www.dshield.org/mailman/listinfo/dshieldannounce
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.