tlunt@ARPA.MIL said: >I would think that if there is sufficient interest in creating and >maintaining such a repository, so that developers of intrusion detection >systems can have high confidence that the information is correct and >relatively complete, that you might consider formulating this as a >project to propose to some funding source, especially if you also propose >to provide the information in a "safe" way (perhaps on an offline subscription If sufficient interest is indicated, the next step would be to identify potential funding sources. Anyone out there have any comments/insights on possible funding? >basis so you know who you are sending it to) to the intrusion detection >developers (and perhaps also users), and you work with CERT or ASSIST or >one of those clearinghouses who collects all this information anyway, >and you formulate the results into rules that are suitable for direct >inclusion into those systems. This would have the obvious benefit that Can anyone comment on whether CERT, ASSIST, CIAC, ... currently have data that could be used to populate (initially) an intrusion/abuse archive? Would they make the data available? >the developers don't have to duplicate each others' work, and will mean The savings are obvious. REUSE!!!! >that a user of an intrusion detection system doesn't have to be a expert >in intrusion techniques or system vulnerabilities. This seems to always pose a major hurdle for those people who find themselves in the unenviable position of having to become an "instant expert" due to a breach of security. > >As for normal behavior, Calvin Ko at UC Davis is putting together some >rules that encode the normal expected behavior of privileged Unix programs >so you can detect departures from those norms. I think this of monitoring programs instead of human users has great potential.