Scoring Thresholds

In the style of SpamAssassin?, to allow less reliable but important rules not generate a full alert, but add score to an IPs reputation. That score would time out after a defined threshold, but if in the defined period the same IP gained other points it would eventually generate an alert.

This would let us put to much more effective use signatures like the ones detecting hostile exe packers, plain old exe downloads, or frequency of connections to unusual apps.

-- MattJonkman - 17 Oct 2008

Topic revision: r1 - 2008-10-17 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats