Snort mailing list archives
Re: Action Recommendations
From: twig les <twigles () yahoo com>
Date: Mon, 28 Oct 2002 10:31:30 -0800 (PST)
I worked at an ISP that blocked offending IPs at the border. It was an insane policy and resulted in Cisco 7500s with 99% CPU utilization because the acls were 6,000-10,000 lines each. I wouldn't go down that road unless the attacking IP/range is particularly nasty. --- Justin Jessup <jaager7 () earthlink net> wrote:
i believe SANS has such a database setup, with the most frequent abusive IP addresses listed jj Steve Suehring <snort () braingia org> wrote: __________On Sun, Oct 27, 2002 at 01:20:04PM -0500, JarretGibson wrote:- Should I bother with reporting thesesecurity problems to theoffending person's ISP / office? I've heardmost of you say thatpeople rarely (if ever) do anything about thescript kiddies / hackerswhen you report them.I can't so much speak to the other questions in theemail, but as far asreporting goes, it depends on a few factors. I've found that three major factors come into playwhen reporting: WhichISP owns the IP space, what you're reporting, whatyou include in thereport. First and foremost, it is unfortunate to say thatit depends on which ISPyou report the activity to. It appears that someISPs absolutely don'tcare what happens within their IP space. This isthe direct result of theabuse department not having enough resources and insome cases not havinga clue. I've found *and this is just my opinion*that cable companies andtelephone companies that now sell Internet are manytimes lacking in both.Secondly, what you're reporting is also important.The abuse departmentreceives massive amounts of email. If you'rereporting a simple 'wrongnumber' type scan where someone typed in the wrongIP, they're likely tonot pursue it. Again, this goes back to the abusedepartment not havingenough resources. Finally, what you include in the report is alsoimportant. I've seen anumber of reports come in from people all overclaiming that a customerwas doing something. In fact, sometimes the reportwould say just that"one of your customers is doing something to my webserver, stop now!"Obviously, there's lots we could do with a reportlike that. :) If youinclude information such as logfiles, timezone, whyexactly this was bador indicative of abuse, etc, your report would havea better chance ofbeing investigated. This somewhat ties in with theabuse department nothaving a clue and not having resources. Again, the ISP is the biggest factor in theprocess. Some ISPs are greatat slapping users, others seem to have a blackholeabuse mailbox.One idea (that someone else has already had, I'msure) would be to set upcentralized site that contained an abuse reportsdatabase. You could thengrab the list sorted by the top 10 subnets that thehijinx originates fromand block 'em. Part of the databse could containwhether or not theactivity was reported to the ISP and what they didabout it. Correlatingthat information it would become evident which ISPsare attempting to dosomething about abuse from their IP space. If thisisn't out therealready and there is some interest, I'd be willingto look into itfurther. I thought I saw something like this on ISSor SANS or someone, Ican't remember. Anyway, hope that helps to give you an idea onreporting things.Steve-------------------------------------------------------This SF.net email is sponsored by: ApacheCon,November 18-21 inLas Vegas (supported by COMDEX), the only Apacheevent to befully supported by the ASF.http://www.apachecon.com_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Action Recommendations Jarret Gibson (Oct 27)
- Re: Action Recommendations Steve Suehring (Oct 27)
- <Possible follow-ups>
- Re: Action Recommendations Justin Jessup (Oct 27)
- Re: Action Recommendations twig les (Oct 28)
- Re: Action Recommendations Glenn Forbes Fleming Larratt (Oct 31)
- Tell the ISP- it will create change Gregory W. Ratcliff (Nov 03)
- Re: Action Recommendations twig les (Oct 28)
- Re: Action Recommendations Margles Singleton (Nov 11)