Security Incidents mailing list archives
Maintaining a "watch list"
From: Kirby Angell <kangell () alertra com>
Date: Wed, 03 Nov 2004 17:03:40 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would like to figure out a way I can maintain a "watch list" of IPs that have generated traffic that is suspicious, but not suspicious enough to warrant being shunned. Ideally I'd like to be notified via e-mail within a few minutes of the target IP connecting with my network; no more than once per hour for each IP. My need for this will become apparent with a post I'll make to this list later tonight. We monitor all the traffic coming into and out of our production machines so I have some flexibility here. I've thought of solutions involving tcpdump, ngrep, and other things. I just wondered what others did when they have an IP that might turn out to be an attacker, but they aren't sure yet. - -- Thank you, Kirby Angell Get notified anytime your website goes down! http://www.alertra.com key: 9004F4C0 fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBiWPL21unUZAE9MARAh5AAJ9QLvW+uSQcpVplLXXo8E/zWLJFTwCfcbyf 97GyWhZjNOnspd3b7iNB6Gg= =RWwG -----END PGP SIGNATURE-----
Current thread:
- Maintaining a "watch list" Kirby Angell (Nov 04)
- Re: Maintaining a "watch list" Ragnar Paulson (Nov 04)
- Re: Maintaining a "watch list" adriano.carvalho (Nov 05)
- <Possible follow-ups>
- RE: Maintaining a "watch list" M. Shirk (Nov 04)