Security Incidents mailing list archives
Re: auto-reporting to ISPs
From: wozz () LUVEWE BONCH ORG (wozz () LUVEWE BONCH ORG)
Date: Thu, 2 Mar 2000 19:24:10 -0700
On Tue, Feb 29, 2000 at 04:47:44PM -0800, Robert Graham wrote:
Below is an e-mail from a customer who would like to see us add an auto-email feature to our product in order to notify the ISP of the offending hacker. This is pretty funny because we've already seen some complaints by ISPs from such a feature in other products appear on this list over the past couple of days. Could abuse@isp people please send me e-mail: * what is the proper way a product like BlackICE Defender should assist the user in reporting such events?
I'm not sure there's any easy way to filter intelligently. What I would like to see though is a little blurb explaining why "common" actions aren't a high priority. I don't think end-users realize thatt there are hundreds of thousands of kiddies online at any one time doing stuff like this, and only a tiny percentage of them are actually dangerous. Here is what I would like to see as an abuse@ person from BlackIce. #1) A text version of the csv data. I don't want to have to fire up a spreadsheet program just to read this data. It adds a little bit extra time to every report I have to deal with #2) a filter on any automatically sent data. Many times I receive CSV's from BlackIce users with thousands of lines in them, only one of which may be relevent to me. #3) Some alternate format to the .enc's. I've emailed you about this before. We don't have any Sniffers around to read the format, and the freeware readers I've seen are horrible. I'd like to be able to get something like a tcpdump that I can scan through visually. Again, its just something that will speed each report up a littl ebit, but those little bits add up. #4) a notice to the user before sending any automatic emails explaining to them when is appropriate and when is not to report an action (ie, repeated attempts from one host is ok, one packet from one host is not really worth the trouble) #5) some standard format for either the message, or an attachment with all the ifnormation contained in the report in a standard format, so that they can be automatically processed. The IETF IDWG (http://www.ietf.org/html.charters/idwg-charter.html) may be a good place for this.
* what should I tell this user about why we haven't put such a simple feature into the product?
I'd explain to them that its very hard to automatically classify attacks as REALLY dangerous, and reporting petty attacks ends up just angering the abuse@ folks ;)
Current thread:
- Re: UDP Probes (?) from port 28432 to 28431 ?, (continued)
- Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
- UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
- Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
- Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
- Port 65535 Murray, Mike (Mar 02)
- @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
- Re: Port 65535 Pavel Kankovsky (Mar 04)
- Re: Port 65535 Murray, Mike (Mar 04)
- Re: Port 65535 Richard Bejtlich (Mar 04)
- Re: Port 65535 Keith Pachulski (Mar 06)
- Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)
- Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
- Re: @home: Is *anyone* really home there??? William Annis (Mar 03)
- scans with spoofed address (was @home: Is *anyone*...) Russell Fulton (Mar 07)