Snort mailing list archives
Re: Action Recommendations
From: "Justin Jessup" <jaager7 () earthlink net>
Date: Sun, 27 Oct 2002 23:55:19 +0000 (GMT)
i believe SANS has such a database setup, with the most frequent abusive IP addresses listed jj Steve Suehring <snort () braingia org> wrote: __________
On Sun, Oct 27, 2002 at 01:20:04PM -0500, Jarret Gibson wrote:- Should I bother with reporting these security problems to the offending person's ISP / office? I've heard most of you say that people rarely (if ever) do anything about the script kiddies / hackers when you report them.I can't so much speak to the other questions in the email, but as far as reporting goes, it depends on a few factors. I've found that three major factors come into play when reporting: Which ISP owns the IP space, what you're reporting, what you include in the report. First and foremost, it is unfortunate to say that it depends on which ISP you report the activity to. It appears that some ISPs absolutely don't care what happens within their IP space. This is the direct result of the abuse department not having enough resources and in some cases not having a clue. I've found *and this is just my opinion* that cable companies and telephone companies that now sell Internet are many times lacking in both. Secondly, what you're reporting is also important. The abuse department receives massive amounts of email. If you're reporting a simple 'wrong number' type scan where someone typed in the wrong IP, they're likely to not pursue it. Again, this goes back to the abuse department not having enough resources. Finally, what you include in the report is also important. I've seen a number of reports come in from people all over claiming that a customer was doing something. In fact, sometimes the report would say just that "one of your customers is doing something to my web server, stop now!" Obviously, there's lots we could do with a report like that. :) If you include information such as logfiles, timezone, why exactly this was bad or indicative of abuse, etc, your report would have a better chance of being investigated. This somewhat ties in with the abuse department not having a clue and not having resources. Again, the ISP is the biggest factor in the process. Some ISPs are great at slapping users, others seem to have a blackhole abuse mailbox. One idea (that someone else has already had, I'm sure) would be to set up centralized site that contained an abuse reports database. You could then grab the list sorted by the top 10 subnets that the hijinx originates from and block 'em. Part of the databse could contain whether or not the activity was reported to the ISP and what they did about it. Correlating that information it would become evident which ISPs are attempting to do something about abuse from their IP space. If this isn't out there already and there is some interest, I'd be willing to look into it further. I thought I saw something like this on ISS or SANS or someone, I can't remember. Anyway, hope that helps to give you an idea on reporting things. Steve ------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Action Recommendations Jarret Gibson (Oct 27)
- Re: Action Recommendations Steve Suehring (Oct 27)
- <Possible follow-ups>
- Re: Action Recommendations Justin Jessup (Oct 27)
- Re: Action Recommendations twig les (Oct 28)
- Re: Action Recommendations Glenn Forbes Fleming Larratt (Oct 31)
- Tell the ISP- it will create change Gregory W. Ratcliff (Nov 03)
- Re: Action Recommendations twig les (Oct 28)
- Re: Action Recommendations Margles Singleton (Nov 11)