AbuseHelper is an open-source project initiated by CERT.FI (Finland) and CERT.EE (Estonia) with ClarifiedNetworks to automatically process incidents notifications.
This tool is being developed for CERTs) and ISPs) to help them in their daily job of following and treating a wide range of high-volume information sources. It is interesting to note that the framework can also be used for automatically processing (standardised) information from a wide range of sources.
Contents |
CERTs and ISPs have to handle really high-volume of notifications (SPAM E-mail spam, BotNet Botnet, ...). These notifications are often normalized per feed (each feed typically uses different formats to report). There is also a lot of information about Internet abuse, available by different feed providers (Zone-H Zone-H[1], DShield Dshield[2], Zeus Tracker Zeus (trojan horse) [3]...). There I a tremendeus amount of information available, but not well utilized, as the amount of information is too high for manual processing AbuseHelper follows a number of sources and produces actionable reports and dashboard for the people that need to treat all these notifications. AbuseHelper also automates the enriching of information, such as founding the owner a reported IP addresses from public databaseses (such as WHOIS Whois).
Technical developments that led to collaborative effort on solving the automated collection of Abuse Information
AbuseHelper is written in Python and developed relying on XMPP protocol (not mandatory) and agents. The base principle is to control agent via a central chat room where all bots are listening. Agents are exchanging information in subrooms. AbuseHelper is then scalable and each agent follows a KISS (Keep it Simple and Stupid) approach. Each user is able to produce the perfect workflow for his business. The user just needs to take the agents he needs and connect them together.
The goal of AbuseHelper is to be able to handle a large panel of sources and try to extract useful information for event follow-up. Currently, AbuseHelper is able to parse the following types of sources:
The community is working on being able to handle more type of input formats. Each type of input is handle by a dedicated bot.
AbuseHelper is more than a pipe. In the workflow, it could be decided to add extra informations coming from other sources like:
As AbuseHelper should help to handle incidents, a large panels of output has also to be handled. Per default, AbuseHelper could produces the following kind of reports:
At all steps, there is some standards agents:
AbuseHelper is developed by a open-source community composed by:
As of this edit, this article uses content from "Workshops BruCON 2010", which is licensed in a way that permits reuse under the Creative Commons Attribution-ShareAlike 3.0 Unported License, but not under the GFDL. All relevant terms must be followed.