Some things I'd like to see:
1) Option to turn on, off, and only use local reputation. Some servers have to be careful on the information they share.
2) Submissions to a central repo contain attacking IP, Sig, and md5 of the default plesk IP address. This would allow for confidence levels in the signatures, as well as allow blocking of updates from someone intent on poisoning the DB. The md5 would keep it relatively anonymous in the DB, but I realize there are other ways you could map the identity. Smile
Well, you trust us don't you?
I'd also like to allow people to opt in and provide even more if they choose, such as the attack payload - we can use that not only improve the rules, but we have some automated stuff in the research pipeline thats going to auto-learn new attacks, malware, etc. and the payloads would be really key to that. Again, opt-in, as some folks may not be able to share anything like that.
3) Be able to weight the reputation based on preferences:
Evil - block the netblock if ASL says so. or if local rep says so
Diet coke of Evil - block the IP if ASL says so. or if local rep says so
Questionable - block 'em if ASL says so, or local repo says so for non-generic attack sigs --Best option would be to be able to customize sigs as high confidence, but that might never get used for most installs
Have at er - use local sigs with no reputation, but send attack data to ASL anyway
Right, OK we'll brainstorm on a workflow to support this. BAsically, you need control to decide what data is gonna work in your environment what you want to do. I agree complete.y
4) Generate reports on said blocking by attacker, hosted domain, sig, etc.
Any thoughts on what you might want a report to look like? We're working on feeding all the data into a database in realtime, so in the future there will be plenty of ways to work with the data.[/quote]