Fw: DSL-IP Probes Curiousity..

["james" <hackerwacker () cybermesa com>]

Are any of the front ends for Snort ASN or netblock aware ?

james 
----- Original Message ----- 
From: "batz" <>
To: "McBurnett, Jim" <>
Cc: <nanog () merit edu>
Sent: Friday, March 14, 2003 12:17 AM
Subject: Re: DSL-IP Probes Curiousity..


: 
: On Thu, 13 Mar 2003, McBurnett, Jim wrote:
: 
: :Will anyone answer this?  I know you may not be
: :able to comment due to legal concerns.. But I am curious..
: 
: I can answer, I just can't tell you who I do it for. ;) (the point
: of the nickname, but I digress) 
: 
: Short answer is: the larger the victim network, the less 
: likely a portscans will be followed up due to the increased
: probability of being part of some worms random propagation 
: pattern, or the introduction of factors caused by the size
: of the network. 
: 
: What I have been trying to get done is a way of sorting
: incoming attacks by netblock, so that cases can be built against
: those netblocks (eventually ASNs ideally) . We can go to the ISP 
: with the alerts originating from them over a period of time, and
: show that someone is making a concerted effort to violate our
: network policies, and be able to provide them with ample evidence
: instead of the cheesy dumps of isolated portscan alerts from IDS's
: that they usually get.  
: 
: Interestingly, the IDS alert sorting interfaces that I have seen 
: (cisco, iss, snort, acid, intellitactics etc.) do not seem to be 
: CIDR aware, or aware in a meaningful way which would facillitate 
: the kind of follow-up I just described. 
: 
: They sort by lots of internal flags (src, dst, severity, type)
: but they do not allow the aggregation of sources to enable the
: co-ordination of a response with the offending network. It's like
: they designed the software without understanding the value of the
: information it was generating. The one blind spot in the query
: types you can do on them is the one thing that would make them
: generate valuable information. It's kind of a joke really. 
: 
: (If any of those vendors are listening, I just gave you a million 
: dollar improvement to your product. Contact me off list on where to send
: that bottle of Macallan, or for a good charity to donate to.) 
: 
: So, as for your question, the answer is: maybe. 
: 
: Cheers, 
: 
: -- 
: batz



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users