Closed alexcpsec closed 10 years ago
Could you elaborate on the distinction between "inbound" and "outbound" at https://github.com/mlsecproject/combine/wiki/Known-Threat-Intelligence-Feeds ?
This reflects the way that the core of MLSec is organized.
There are 2 "meta-modules" in the system, one that is able to recognize "inbound threats" (i.e, machines who are scanning you, attacking you directly through network, etc) and "outbound threats" (i.e, machines that you connect to that have malicious payloads, C&C servers, etc).
The feeds were separated (manually), into the categories they would contribute the best to. I certainly made some mistakes in the classification as I did not spend too much time investigating each one of them.
Also, check / compare with #9
I believe what we have here, paired with the commercial or semi-private ones we have should be enough.
We should select the mix of public and semi-private feeds we are going to use on the presentation, and adapt the 'harvester' code as necessary to be able to gather them.
I don't believe that we need to have full fledged tool implementation for the initial milestone, but at least the minimum we require to prove the concept for the CFP.