Security Incidents mailing list archives

Maintaining a "watch list"

From: Kirby Angell <kangell () alertra com>
Date: Wed, 03 Nov 2004 17:03:40 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to figure out a way I can maintain a "watch list" of IPs
that have generated traffic that is suspicious, but not suspicious
enough to warrant being shunned.  Ideally I'd like to be notified via
e-mail within a few minutes of the target IP connecting with my network;
no more than once per hour for each IP.  My need for this will become
apparent with a post I'll make to this list later tonight.

We monitor all the traffic coming into and out of our production
machines so I have some flexibility here.  I've thought of solutions
involving tcpdump, ngrep, and other things.  I just wondered what others
did when they have an IP that might turn out to be an attacker, but they
aren't sure yet.

- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBiWPL21unUZAE9MARAh5AAJ9QLvW+uSQcpVplLXXo8E/zWLJFTwCfcbyf
97GyWhZjNOnspd3b7iNB6Gg=
=RWwG
-----END PGP SIGNATURE-----

Current thread:

Maintaining a "watch list" Kirby Angell (Nov 04)
- Re: Maintaining a "watch list" Ragnar Paulson (Nov 04)
- Re: Maintaining a "watch list" adriano.carvalho (Nov 05)
- <Possible follow-ups>
- RE: Maintaining a "watch list" M. Shirk (Nov 04)