krmaxwell
commented
10 years ago Could you elaborate on the distinction between "inbound" and "outbound" at https://github.com/mlsecproject/combine/wiki/Known-Threat-Intelligence-Feeds ?
Closed alexcpsec closed 10 years ago
krmaxwell
commented
10 years ago Could you elaborate on the distinction between "inbound" and "outbound" at https://github.com/mlsecproject/combine/wiki/Known-Threat-Intelligence-Feeds ?
alexcpsec
commented
10 years ago This reflects the way that the core of MLSec is organized.
There are 2 "meta-modules" in the system, one that is able to recognize "inbound threats" (i.e, machines who are scanning you, attacking you directly through network, etc) and "outbound threats" (i.e, machines that you connect to that have malicious payloads, C&C servers, etc).
The feeds were separated (manually), into the categories they would contribute the best to. I certainly made some mistakes in the classification as I did not spend too much time investigating each one of them.
alexcpsec
commented
10 years ago Also, check / compare with #9
alexcpsec
commented
10 years ago I believe what we have here, paired with the commercial or semi-private ones we have should be enough.
We should select the mix of public and semi-private feeds we are going to use on the presentation, and adapt the 'harvester' code as necessary to be able to gather them.
I don't believe that we need to have full fledged tool implementation for the initial milestone, but at least the minimum we require to prove the concept for the CFP.