Snort mailing list archives
Re: getcontact utility
From: Andrew Daviel <andrew () andrew triumf ca>
Date: Tue, 19 Jun 2001 12:18:17 -0700 (PDT)
On Mon, 18 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
Hello, I am looking for a utility to use with Snort (running on Linux) similar to the "Getcontact" utility seen on snort.org. It would be nice to be able to automatically lookup contacts for the different ISPs and send out emails when certain attacks occur. Does anyone have a script they could share that could do this?
My reporter script (the subject of some criticism for one false alert :-7) has a contact lookup module. Like most of my stuff, it's ugly Perl (what do you expect from an ex-FORTRAN programmer). http://andrew.triumf.ca/pub/security/reporter/ The contact lookup algorithm keeps evolving. Currently, it works like this: Try to resolve the ip with DNS Failing that, try to get an Apache error message. Failing that, a sendmail banner (many APNIC sites don't resolve) Work along the name looking for an MX record. Look up the org. in a private database. Look up the org at whois.abuse.net Try mailing to "abuse" anyhow, and watch for a bounce. If it doesn't resolve, dig through whois records starting at whois.arin.net. Mail to "abuse" if it exists in the whois record. If the technical contact address seems to match the netblock, as it does for major ISPs & orgs, try mailing "abuse@org". Otherwise, mail any email address found in the record, except if it's IANA, meaning it's a private netblock and I didn't notice. Try not to mail people like "nic () apnic net" if I can help it. dshield.org is doing something similar with aggregate records. They cache whois contacts and store them in a database. There's an SQL dump on the web. Abuse.net is really for spam complaints but I've started using their database for resolved names except where I know a more appropriate one, e.g. "security-nonverbose () uu net" or whatever. As has been pointed out to me, an automated reporter is vulnerable to scans with spoofed source addresses as an attack on the credibility of the reporter. (Maybe I need a "credible limit" of total scans/hour) -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- getcontact utility Sheahan, Paul (PCLN-NW) (Jun 17)
- Re: getcontact utility Joe McAlerney (Jun 19)
- Re: getcontact utility Andrew Daviel (Jun 19)