Re: You caught them, what next?

[Michael Boman <michael.boman () securecirt com>]

After reading through this thread I only come to only conclusion -
you all seem to spend too much time to manually send abuse email to the
ISP's. As the email roughly contain the same information all the time,
except for the logs (which can be grabbed from DB), it seems strange
that no-one seems to have automated the whole task.

I am using sguil (http://sf.net/projects/sguil) and have done some serious
modifications to it (check out the CVS version) to cater just for this
kind of things. Sguil has "catagories" in which you sort the alerts into,
and based on these catagories it's decided if a email is warranted. If a
abuse email is warranted a special flag in the DB is set to true. Then
there is a small perl script that runs from cron walking through the
database, looking for this flag. Once it has found this "send abuse flag"
it groups all the offending events this particular IP has done and send
it off to the ISP contact, and once that is done a "sent abuse flag" is
set. This way I only need to do the normal cat'ing of the events and it
sends off the email to the ISP automaticly. Any bounces or replies ends
up in the mail. Replies are treated as requests (like they want more
information etc, if it's a auto-responder it's just beeing ignored),
bouces triggers the human to go and find a better contact person. The
whole thing is driven by dshield.org's excellent effort of tracking down
offenders and send them their "fightback" emails.

So, 

1) if you don't feel like writing your own scripts etc you just sign up @
   dshield.org and send them your logs - or

2) Get some coding done ;)

It took a few hours to set the whole thing up, but it saves time in the
long run.

Just a few pointers to the template's ppl are using:

- Be polite, dont accuse anyone for anything
- State timezone (UTC or GMT +/- difference. UTC is best)
- Make sure that your clock is in sync with the rest of the world using
  NTP. When it is, also state this in the template.
- If possible, correlate IDS logs with other logs, like weblogs,
  syslog/event log entries and so on.
- If your log format is not extreamly common, please explain the format
  for the reciver (I find a link to a webpage where you explain the
  different parts of the logfile formats is enough)


When you send out several hundred of abuse email per day, automate it.

Best regards
 Michael Boman

PS
 Sorry, I can not share the perl-script that sends out the email's for two reasons:

 1) It's highly intergrated with the rest of our infrastructure so much
    would need to be re-written
 2) It belongs to the company, I am not allowed to share it (as of
    yet anyway)
 
-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com

Attachment: _bin
Description: