Snort mailing list archives

Re: getcontact utility

From: Andrew Daviel <andrew () andrew triumf ca>
Date: Tue, 19 Jun 2001 12:18:17 -0700 (PDT)

On Mon, 18 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:

Hello,

I am looking for a utility to use with Snort (running on Linux) similar to
the "Getcontact" utility seen on snort.org. It would be nice to be able to
automatically lookup contacts for the different ISPs and send out emails
when certain attacks occur. Does anyone have a script they could share that
could do this?


My reporter script (the subject of some criticism for one false alert :-7)
has a contact lookup module.
Like most of my stuff, it's ugly Perl (what do you expect from an
ex-FORTRAN programmer). http://andrew.triumf.ca/pub/security/reporter/

The contact lookup algorithm keeps evolving. Currently, it works like
this:

Try to resolve the ip with DNS
Failing that, try to get an Apache error message. Failing that, a sendmail
banner  (many APNIC sites don't resolve)
Work along the name looking for an MX record.
Look up the org. in a private database.
Look up the org at whois.abuse.net
Try mailing to "abuse" anyhow, and watch for a bounce.
If it doesn't resolve,
dig through whois records starting at whois.arin.net.
Mail to "abuse" if it exists in the whois record.
If the technical contact address seems to match  the netblock, as it does
for major ISPs & orgs, try mailing "abuse@org".
Otherwise, mail any email address found in the record, except if
it's IANA, meaning it's a private netblock and I didn't notice.
Try not to mail people like "nic () apnic net" if I can help it.

dshield.org is doing something similar with aggregate records. They cache
whois contacts and store them in a database. There's an SQL dump on the
web. Abuse.net is really for spam complaints but I've started
using their database for resolved names except where I know a more
appropriate one, e.g. "security-nonverbose () uu net" or whatever.

As has been pointed out to me, an automated reporter is vulnerable to
scans with spoofed source addresses as an attack on the credibility
of the reporter. (Maybe I need a "credible limit" of total scans/hour)

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security () triumf ca



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

getcontact utility Sheahan, Paul (PCLN-NW) (Jun 17)
- Re: getcontact utility Joe McAlerney (Jun 19)
- Re: getcontact utility Andrew Daviel (Jun 19)