Introduction to Rule Engine & Blacklist IP Dump of Intrusion Detection System

Rule Engine comprises of a set of pre-defined rules, which are used to score the event on a scale of 0 to 100. This score helps determine whether an event is safe or risky, this can be decided by setting a risk threshold. Rule Engine is backed by a database that has information such as IP address, user id, event outcome(success or failure) of past security events. Each entry in database has Time to live(TTL) or hop limit of 3 hours, which can be configured based on requirement. Generally speaking rule based engines are robust but can only take on already identified & can’t do much about new attacks. It does only as much as it is asked for, which though results in extremely low false positives doesn’t scale well to all situations. That’s when Machine Learning & anomaly detection engines come into the picture. These engines are currently under development & will be introduced in future posts.

Coming back to the Rule Engine, current implementation focuses mainly to prevent dictionary & brute force attacks from happening. There are four rules, each addressing different use cases :

Implementation available at : https://github.com/piyush-palta/risk-analyzer/blob/master/risk_calculator/rule_engine.py

Blacklist IP Dump is a database of all the IPs that are blacklisted over the internet for malicious behaviour. One such source of blacklisted IP addresses is myip.ms. These IPs are provided in a text file & stored in a sqlite3 based database. IPs are hashed as integers for easy lookup i.e. O(logN) lookup. If an IP is found to be present in this database, highest possible score of 100 is returned and the event is forfeited. Implementation available at : https://github.com/piyush-palta/risk-analyzer/blob/master/risk_calculator/blacklist_ip.py

In this blog, we introduced the rule engine & blacklist IP dump of Intrusion Detection System using Elytron’s security events & discussed their implementation.