Re: "Who else picked this one up?"

[Lance Spitzner <spitzner () dimension net>]

On Fri, 30 Apr 1999, Marcus J. Ranum wrote:

> A few of us (some folks on the list and some of the folks at
> NFR) have been looking into adding a feature in the next version
> of Back Officer to allow someone to publish these kinds of
> records (potentially with a hashed IP address instead of the
> real one) to a central location for statistics, forensics,
> and to share within the security community. 

Several of us in the Check Point FW1 community have already been
doing this.  Several months ago I developed a script that uses
FW1 to detect scans, log the info in  a database, alerts the
admin, and then notifies the remote Admin of the scan.
http://www.enteract.com/~lspitz/intrusion.html.

The FW1 community has been sharing the results.  You can find the
results at http://www.enteract.com/~lspitz/alert.log.

The information published is as follows:

Source(real IP address)  Date   Time  Service(what they were probing).

You may want to check this at as a starting point for ideas.
Note, so far we are not hidding the IP addresses of the source.
We have NO intent to become some type of "RBL" for the security
community.   However, hasing the IP addresses of the source
might be a good idea :)

Hope this helps ....

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc