Skip to content
This repository has been archived by the owner on Aug 31, 2018. It is now read-only.

Detectors

Jump to bottom
Rob edited this page Apr 17, 2015 · 5 revisions

Home

Back to The FIDO Assembly Line

Detectors are the initial trigger to creating a FIDO initiated event. Detectors could be hardware or software based systems, such as firewalls, IDS scanner or custom Fido logic using threat feeds, with the purpose of looking for malicious activity. Detectors are not a verification that malicious activity occurred, just the initial 'trip wire' that suspicious activity was detected.

In the FIDO pipeline of logic an event is received in one of four ways. The preferred method is via API, but logic for SQL, log files, and email are available. Which one to use depends on what the vendor can support, but API is preferred.

When an event is received from a detector the first step in the FIDO pipeline is to parse out the relevant information provided from the detector. The most important pieces of information would be the source/destination address, timestamp, IP, URL and hash. Any other information can be record in the FIDO class object either for reference or use if proven valuable. Additionally, if a particular detector proves highly reliable (low false-positives, good intel), then the additional information could be used in the FIDO scoring algorithm.

Current implemented detectors:

Detectors currently in progress or planned:

  • SentinelOne
  • FireEye MAS
  • Snort
  • Bro
  • Lastline

One of the goals of open sourcing FIDO is to continue to build out the list of detectors. The more detectors available the more relevant FIDO becomes.

On to the next step... Host Discovery.

Clone this wiki locally