Author: F.Mertz (12 Jun 08 6:06pm)
I wish I could say that my knowledge of the subject was meaningfully increased :-) I'm not going to allow my ignorance to slow me down, though.
If I were able to wrap my head around the threat score algorithm, I would incorporate some kind of configurable threshold calculation into the module that takes into consideration the type of threat, the threat score, and the days since last observation. Ideally it would use a logarithmic damping function and a switch one could set to varying degrees of aggression, maybe a scale from one to ten or just a few like aggressive, normal, passive, none. It's just a bit too dark for me to shoot in the direction of that noise, though. Maybe when the scores are normalized it'll be time to take this back up.
At present, the module presents the convenience option to set thresholds for each threat type independently, to set a global threshold, mix/match, or just run without thresholds (all defaulted to zero). It's got a single threshold for the days since last observation, also optional, that I may break out to a global and three types as the threat score thresholds are implemented. In this way the module can be configured to return a binary threat indication for simplicity, or can be used just as a data source for later processing. Or both, I suppose, but I can't see any point to doing additional processing if the necessary logic is provided by the configuration.
Of course, any time a lookup is performed that returns anything other than NXDOMAIN, the module will provide the threat score, threat type, and days since last observation via object method calls.
The ability to do local whitelisting/blacklisting will be provided in the module by a callback hook, so the developer is not forced into any specific implementation and is free to provide or not provide a callback. In this way it's up to the developer to determine where his whitelist data comes from, be it a text file, a database, a DNS lookup, or some other magic. I intend to incorporate a couple of reference implementations into the module package before it goes off to CPAN.
Because the primary audience of a CPAN module is developers, it seems a bit pointless to incorporate QuickLinks into the module. In the MVC context, this module is in the Controller while QuickLinks would be something better suited to the View. That said, I can and will incorporate QuickLinks into the blosxom plugin I've written before it goes out for public consumption. (Never mind that blosxom is in decline...)
Thanks for shedding what light you can on the matter, and for the module functionality suggestions. I'll follow up in this thread as things progress.