Security Incidents mailing list archives
Re: Maintaining a "watch list"
From: "Ragnar Paulson" <ragnar () wanware com>
Date: Thu, 4 Nov 2004 12:25:44 -0500
Hello, Have you heard of mynetwatchman? Check out www.mynetwatchman.com. Lawrence Baldwin collects attack info from agents all over the world (currently approximately 1000) and uses it to generate warnings to ISPs and others responsible for the source of possible attacks. The software is also capable of generating a "watch list" of probable bad IP's. This list currently holds about 38000 IP addresses. It has been as high as 80000. We use it to automatically maintain firewall rules for shunning (as you say) known compromised or malicious computers. Ragnar Paulson The Software Group Limited ----- Original Message ----- From: "Kirby Angell" <kangell () alertra com> To: "Incidents List" <incidents () securityfocus com> Sent: Wednesday, November 03, 2004 6:03 PM Subject: Maintaining a "watch list"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would like to figure out a way I can maintain a "watch list" of IPs that have generated traffic that is suspicious, but not suspicious enough to warrant being shunned. Ideally I'd like to be notified via e-mail within a few minutes of the target IP connecting with my network; no more than once per hour for each IP. My need for this will become apparent with a post I'll make to this list later tonight. We monitor all the traffic coming into and out of our production machines so I have some flexibility here. I've thought of solutions involving tcpdump, ngrep, and other things. I just wondered what others did when they have an IP that might turn out to be an attacker, but they aren't sure yet. - -- Thank you, Kirby Angell Get notified anytime your website goes down! http://www.alertra.com key: 9004F4C0 fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBiWPL21unUZAE9MARAh5AAJ9QLvW+uSQcpVplLXXo8E/zWLJFTwCfcbyf 97GyWhZjNOnspd3b7iNB6Gg= =RWwG -----END PGP SIGNATURE-----
Current thread:
- Maintaining a "watch list" Kirby Angell (Nov 04)
- Re: Maintaining a "watch list" Ragnar Paulson (Nov 04)
- Re: Maintaining a "watch list" adriano.carvalho (Nov 05)
- <Possible follow-ups>
- RE: Maintaining a "watch list" M. Shirk (Nov 04)