Snort mailing list archives
Fw: DSL-IP Probes Curiousity..
From: "james" <hackerwacker () cybermesa com>
Date: Fri, 14 Mar 2003 00:53:28 -0700
Are any of the front ends for Snort ASN or netblock aware ? james ----- Original Message ----- From: "batz" <> To: "McBurnett, Jim" <> Cc: <nanog () merit edu> Sent: Friday, March 14, 2003 12:17 AM Subject: Re: DSL-IP Probes Curiousity.. : : On Thu, 13 Mar 2003, McBurnett, Jim wrote: : : :Will anyone answer this? I know you may not be : :able to comment due to legal concerns.. But I am curious.. : : I can answer, I just can't tell you who I do it for. ;) (the point : of the nickname, but I digress) : : Short answer is: the larger the victim network, the less : likely a portscans will be followed up due to the increased : probability of being part of some worms random propagation : pattern, or the introduction of factors caused by the size : of the network. : : What I have been trying to get done is a way of sorting : incoming attacks by netblock, so that cases can be built against : those netblocks (eventually ASNs ideally) . We can go to the ISP : with the alerts originating from them over a period of time, and : show that someone is making a concerted effort to violate our : network policies, and be able to provide them with ample evidence : instead of the cheesy dumps of isolated portscan alerts from IDS's : that they usually get. : : Interestingly, the IDS alert sorting interfaces that I have seen : (cisco, iss, snort, acid, intellitactics etc.) do not seem to be : CIDR aware, or aware in a meaningful way which would facillitate : the kind of follow-up I just described. : : They sort by lots of internal flags (src, dst, severity, type) : but they do not allow the aggregation of sources to enable the : co-ordination of a response with the offending network. It's like : they designed the software without understanding the value of the : information it was generating. The one blind spot in the query : types you can do on them is the one thing that would make them : generate valuable information. It's kind of a joke really. : : (If any of those vendors are listening, I just gave you a million : dollar improvement to your product. Contact me off list on where to send : that bottle of Macallan, or for a good charity to donate to.) : : So, as for your question, the answer is: maybe. : : Cheers, : : -- : batz ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fw: DSL-IP Probes Curiousity.. james (Mar 14)