DIY Threat Monitoring System

Building your own threat monitoring system can be done using the above architecture, you will need to write some connectors and parsers to filter data and check if your IPs or URLs appear in any of the free public databases I am using perl and shell scripts along with Mysql database. Visualization can be done using google charts API, which has nice easy-to-use charts.

If you are a cloud fan, you can use Amazon cloud for your system and Amazon SimpleDB instead of Mysql.

Comments? . . . . . .

More on Security Information Event Management (SIEM)

Anton Chuvakin in his blog is discussing SIEM must-have features, use cases, and different users.

nice reading, in addition to SANS paper on benchmarking SIEM.

Enterprise Open Source Intelligence Gathering

A series of blog entries ( 1, 2, 3) by Tom Eston, about Open Source information gathering has some useful techniques and tools that can be easily used in enterprises for monitoring social media. An overall presentation is available here.

More tools can be found here.

Malicious IPs and URL FREE Databases

Lenny Zeltser is always inspiring me with his topics, he recently published a list of public blocklist or suspected malicious IPs or URLs.

I have my own list below, the issue is how to use these IPs and URLs for your benefits? The answer is a project I am working on, stay tuned.

CBL BlackList: (Spam ip, FREE)

MS SNDS (Spam ip, FREE)

SpamHaus: (Spam, $$) There are lots of other SPAM databases, just google them..

Malware Domain list: (domains, FREE)
Google safe browsing (domain, FREE)
TOR Exit nodes list (ip, FREE)
Phishtank: (urls, FREE)
DShield: (ip, FREE)
XSS: (url, FREE)
projecthoneypot (FREE)
OpenDNS: (domain, FREE)
Defacement Tracking (Zone-h, Arabic-m, Turk-h, FREE)
Arbor ATLAS: (ip, FREE)
Shadow: (ip, FREE)
SURBL (url, FREE)
dronebl (ip, FREE)
tracker (ip, FREE)

stopbadware (AS, FREE)

FastFluxMonitor (FastFlux, Free)

hpHosts (ip, url, FREE)

Zeus Tracker (FREE)

Fast Flux statistics, from Arbor

Arbor is releasing statistics from their systems and spamtraps for tracking Fast-Flux networks.

Q3, 2009 statistics:

Q2, 2009 Statistics:

Materials, Louisville Infosec 2009

Louisville Infosec 2009 conference videos are available here.

SANS, Cyber Security Awareness Month

The guys @ SANS are putting daily articles on 31 different ports/services/protocols/applications during October, the list is very good and the comments of the readers also worth checking.


123 NTP
53 DNS
22 SSH
25 smtp
23 Telnet
514 syslog
5900 VNC
20,21 FTP
5060,5061 SIP
445 SMB over TCP
1433,1434 MS-SQL
67,68 bootp and DHCP
80,443 HTTP/HTTPS
995,465,993 Secure Mail
1521 Oracle TNS Listener
135 epmap/loc-srv
6667/8/9, 7000 IRC
161,162 SNMP
502 Modbus
179 BGP
RPCBind
3389 RDP
IPSEC Protocols
Active Directory ports
various questionable ports
small services
Proxies
Port 0
31337
ICMP