Security Incidents mailing list archives

Re: Maintaining a "watch list"

From: "Ragnar Paulson" <ragnar () wanware com>
Date: Thu, 4 Nov 2004 12:25:44 -0500


Hello,

Have you heard of mynetwatchman?   Check out www.mynetwatchman.com.   Lawrence Baldwin collects attack info from agents 
all over the world (currently approximately 1000) and uses it to generate warnings to ISPs and others responsible for 
the source of possible
attacks.  The software is also capable of generating a "watch list" of probable bad IP's.    This list currently holds 
about 38000 IP addresses.  It has been as high as 80000.  We use it to automatically maintain firewall rules for 
shunning (as you say) known compromised or malicious computers.

Ragnar Paulson
The Software Group Limited

----- Original Message ----- 
From: "Kirby Angell" <kangell () alertra com>
To: "Incidents List" <incidents () securityfocus com>
Sent: Wednesday, November 03, 2004 6:03 PM
Subject: Maintaining a "watch list"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to figure out a way I can maintain a "watch list" of IPs
that have generated traffic that is suspicious, but not suspicious
enough to warrant being shunned.  Ideally I'd like to be notified via
e-mail within a few minutes of the target IP connecting with my network;
no more than once per hour for each IP.  My need for this will become
apparent with a post I'll make to this list later tonight.

We monitor all the traffic coming into and out of our production
machines so I have some flexibility here.  I've thought of solutions
involving tcpdump, ngrep, and other things.  I just wondered what others
did when they have an IP that might turn out to be an attacker, but they
aren't sure yet.

- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBiWPL21unUZAE9MARAh5AAJ9QLvW+uSQcpVplLXXo8E/zWLJFTwCfcbyf
97GyWhZjNOnspd3b7iNB6Gg=
=RWwG
-----END PGP SIGNATURE-----

Current thread:

Maintaining a "watch list" Kirby Angell (Nov 04)
- Re: Maintaining a "watch list" Ragnar Paulson (Nov 04)
- Re: Maintaining a "watch list" adriano.carvalho (Nov 05)
- <Possible follow-ups>
- RE: Maintaining a "watch list" M. Shirk (Nov 04)