Security Incidents mailing list archives
Re: Handling Scans.
From: Guillaume Filion <gfk () LOGIDAC COM>
Date: Mon, 12 Feb 2001 21:29:40 -0500
I've been wanting to do something like this for a long time, but never got enough time/motivation/skills. Spamcop.net has an algorithm that finds out who to send the abuse message to, I've been using this service for about a year (several times a day) and it has been wrong only once (that I know of). Here's what is does with www.securityfocus.com's ip (66.38.151.10): ----- "nslookup 66.38.151.10" (getting name) [show] 66.38.151.10 = www.securityfocus.com "nslookup www.securityfocus.com" (checking ip) [show] ip = 66.38.151.10 No abuse.net record for www.securityfocus.com "nslookup www.securityfocus.com" (checking ip) [show] ip = 66.38.151.10 Using shortest default abuse.net entry - abuse.net www.securityfocus.com = postmaster () securityfocus com paranoid reverse DNS passes - using postmaster () securityfocus com "dig -x 66.38.151.10 soa " (digging for Start Of Authority) [show] - not found "dig -x 66.38.151 soa " (digging for Start Of Authority) [show] - root () ns1 broadband net abuse.net ns1.broadband.net = jbradley () GT CA, postmaster () broadband net Found abuse address:postmaster () broadband net, jbradley () GT CA, postmaster () securityfocus com ---- A draft algo would be something like this, the script receives $ip: ----- ## Check the IP's validity $name='host $ip'; $nameip='host $name'; if ($nameip!=$ip) { # problem, do something... (?) } ## Direct IP $abuse='whois -h whois.abuse.net $name'; if (domain($abuse)==domain($nameip)) { #paranoid reverse DNS passes $abuseall+=$abuse; } ## DNS zone's SOA do { $digip=popByte($ip); # Removes that last byte at each call $soa='dig -x $digip soa'; } until (!empty($soa)) $abuse='whois -h whois.abuse.net $soa'; $abuseall+=$abuse; ## Last ressort, ARIN/RIPE/APNIC/DODNIC contact if (empty($abuseall) { $whoisserver=findAuthority($ip); # This finds the authority base on the ip (the programmer could look at whois -h whois.arin.net ripe) $arincontact=arinParseContact('whois -h $whoisserver $ip'); $abuse='whois -h whois.abuse.net $arincontact'; $abuseall+=$abuse; } return $abuseall; ----- Please note that this won't compile on anything, it's just an idea of how this could work... I hope someone will be able to find the time to implement something like this. I certainly would like feed-back on this, GFK's
I use portsentry at home to scan em back and then block thier ip. It saves the information to a file that I can use. I would think something like snort would be nice for generating the email but really that is the easy part. Finding who to send it to and waiting on hold is that part that stinks. Mike -----Original Message----- From: abel wisman [mailto:abel () able-towers com] Sent: Monday, February 12, 2001 12:31 PM To: Reeves, Mike; INCIDENTS () SECURITYFOCUS COM Subject: Re: Handling Scans. This matter is interesting, and i was thinking about it upion reading the previous posting. As a shell/web host, the numbers of scans that pass by daily are staggering, certainly i would like to sit down and write to all isp's about their 'clients" doing this, however time is a elusive artivle nowadays. Has (in addition to the question already asked) anybody mae (perhaps) a automated system based on for instance iplog, snort or tripwire, where mail is generated to do this automatically? would be an interesting feature abel wisman ABLE Towers LLC www.able-towers.com www.url.org On Monday 12 February 2001 10:28, Reeves, Mike wrote:I was trying to get some community type feedback on what people usually do in handling scans of thier networks. At home I usually look back at the person scanning me. I get scanned about 5 times a day. Should I take the time to contact the admin or should I just let it go? What do most people do? Mike K. Reeves Networking Services Engineer, Synchrony Communications, Inc. MCSE Microsoft Certified System Eliminator "Geek by nature... Linux By Choice..."
-- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA
Current thread:
- Re: Handling Scans., (continued)
- Re: Handling Scans. Russell Fulton (Feb 13)
- Re: Handling Scans. deviate (Feb 13)
- Re: Handling Scans. Eelco Duijker (Feb 15)
- Re: Handling Scans. Russell Fulton (Feb 13)
- Re: Handling Scans. Joe Shaw (Feb 13)
- Re: Handling Scans. Michael Boman (Feb 13)
- Re: Handling Scans. Richard Johnson (Feb 13)
- Re: Handling Scans. Harlan S. Barney, Jr. (Feb 13)
- Re: Handling Scans. Booke, Raymond (Feb 12)
- Re: Handling Scans. Reeves, Mike (Feb 12)
- Re: Handling Scans. Timothy Lyons (Feb 12)
- Re: Handling Scans. Guillaume Filion (Feb 12)
- Re: Handling Scans. Abe Getchell (Feb 13)
- Re: Handling Scans. Reeves, Mike (Feb 13)
- Re: Handling Scans. Reeves, Mike (Feb 13)
- Re: Handling Scans. Valdis Kletnieks (Feb 13)
- Re: Handling Scans. John Nemeth (Feb 14)
- Re: Handling Scans. John Nemeth (Feb 14)
- Re: Handling Scans. Justin Shore (Feb 14)
- Re: Handling Scans. John Oliver (Feb 14)