Snort mailing list archives
Re: You caught them, what next?
From: Michael Boman <michael.boman () securecirt com>
Date: Fri, 4 Apr 2003 23:11:20 +0800
After reading through this thread I only come to only conclusion - you all seem to spend too much time to manually send abuse email to the ISP's. As the email roughly contain the same information all the time, except for the logs (which can be grabbed from DB), it seems strange that no-one seems to have automated the whole task. I am using sguil (http://sf.net/projects/sguil) and have done some serious modifications to it (check out the CVS version) to cater just for this kind of things. Sguil has "catagories" in which you sort the alerts into, and based on these catagories it's decided if a email is warranted. If a abuse email is warranted a special flag in the DB is set to true. Then there is a small perl script that runs from cron walking through the database, looking for this flag. Once it has found this "send abuse flag" it groups all the offending events this particular IP has done and send it off to the ISP contact, and once that is done a "sent abuse flag" is set. This way I only need to do the normal cat'ing of the events and it sends off the email to the ISP automaticly. Any bounces or replies ends up in the mail. Replies are treated as requests (like they want more information etc, if it's a auto-responder it's just beeing ignored), bouces triggers the human to go and find a better contact person. The whole thing is driven by dshield.org's excellent effort of tracking down offenders and send them their "fightback" emails. So, 1) if you don't feel like writing your own scripts etc you just sign up @ dshield.org and send them your logs - or 2) Get some coding done ;) It took a few hours to set the whole thing up, but it saves time in the long run. Just a few pointers to the template's ppl are using: - Be polite, dont accuse anyone for anything - State timezone (UTC or GMT +/- difference. UTC is best) - Make sure that your clock is in sync with the rest of the world using NTP. When it is, also state this in the template. - If possible, correlate IDS logs with other logs, like weblogs, syslog/event log entries and so on. - If your log format is not extreamly common, please explain the format for the reciver (I find a link to a webpage where you explain the different parts of the logfile formats is enough) When you send out several hundred of abuse email per day, automate it. Best regards Michael Boman PS Sorry, I can not share the perl-script that sends out the email's for two reasons: 1) It's highly intergrated with the rest of our infrastructure so much would need to be re-written 2) It belongs to the company, I am not allowed to share it (as of yet anyway) -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
Attachment:
_bin
Description:
Current thread:
- You caught them, what next? Tobias Rice (Apr 02)
- Re: You caught them, what next? Joe Matusiewicz (Apr 02)
- Re: You caught them, what next? Matt Kettler (Apr 02)
- RE: You caught them, what next? Gordon Cunningham (Apr 02)
- Re: You caught them, what next? Michael Boman (Apr 04)
- <Possible follow-ups>
- RE: You caught them, what next? Drew Stockman (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 02)
- RE: You caught them, what next? Brei, Matt (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 02)
- RE: You caught them, what next? FWAdmin (Apr 02)
- RE: You caught them, what next? Brei, Matt (Apr 02)
- Re: You caught them, what next? Jason Haar (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 03)
- RE: You caught them, what next? Erek Adams (Apr 03)
- RE: You caught them, what next? bmcdowell (Apr 03)
(Thread continues...)