Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Suspicious Domain Scoring - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Suspicious Domain Scoring
Hi all,

Newbie in this forum! I'm starting a research piece on web hosting providers and how affiliated they are with people who do naughty things! I'm planning on using the suspicious domains list as source of confirmed mal domains; however, I can't seem to see any documentation on what defines the scoring of each submitted domain. Has anyone got any insight in this area?

Cheers

Luke
Luke

1 Posts
Here is the scoring we currently use:

- how many days we have seen the domain in the last 10 days.
- we deduct from the score for high ranking Alexa domains
- we weight different threat feeds:

+----------------+---------------------------------------------------------+-------+
| type | description | score |
+----------------+---------------------------------------------------------+-------+
| zeuscc | Zeus Command And Control Server from Abuse.ch | 40 |
| spyeye | Spyeye Command And Control Server from Abuse.ch | 40 |
| spyeyedomains | Spyeye Command And Control Server from Abuse.ch | 40 |
| zeusdomains | Zeus Command And Control Server from Abuse.ch | 40 |
| palevodomains | Palevo Command and Control Server Domains from Abuse.ch | 40 |
| palevoips | Palevo Command and Control Server IPs from Abuse.ch | 40 |
| ransomware | Abuse.ch Ransomware Domain Blocklist | 40 |
| ransomwareips | Abuse.ch Ransomware IPs Blocklist | 40 |
| malwaredomains | Domain Blocklist From Malwaredomains | 15 |
| threatexpert | Threatexpert.com Malicious URLs | 25 |
| miner | Cryptocoin Miner Pool Addresses | 20 |
| virustotal | Virustotal Domains | 10 |
+----------------+---------------------------------------------------------+-------+

btw: for your purpose, it may be better to look at the hosting providers ASN and use Google's safe browsing data which you can retrieve by ASN if I remember right.
Anonymous

-
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!