Atomicorp Threat Intelligence System
December 10, 2014
Written by: Michael Shinn
As some users may have noticed we quietly added a new feature to Atomic Secured Linux (ASL), the Atomicorp Threat Intelligence system. Right now the TI is only applied to web events, but we will be rolling the TI into other services as well in the coming months, so the TI will be protecting other services such as mail, FTP, ssh and others. We’ll also be adding it into the ASL firewall so you can automatically blacklist IPs in the various TI databases as you see fit.
The TI is a real time threat intelligence system that uses our web of honeypots, and participating ASL systems to track attacks and attackers in real time. It differentiates different kinds of attackers automatically (spammer, brute force attackers, SQLi, etc.) and disseminates this in real time to participating ASL systems. On the back end theres also an analyst system that lets us develop profiles of attackers, track bad guys over long periods of time, dissect what they are doing and all sorts of other neat things.
The TI includes a number of elements, but at this point the one most users will be interested in are the DNS RBLs. We’ve put up a wiki page describing the DNS RBL TI elements and how to use them.
You can also look up IPs on the lookup page at the URL below:
What I’d like to bring to users attention is that the DNS RBL zones are also available via rsync, and we’d like to see users take advantage of that capability. Please see the wiki page for details about how to get access to the zones, they are not open the public you will need to be granted access, just see that page for details.
If you have any questions about the TI, please post them in TI forums: