nanog mailing list archives
Re: advise on network security report
From: Steve Atkins <steve () blighty com>
Date: Mon, 30 Oct 2006 09:58:16 -0800
On Oct 30, 2006, at 9:44 AM, Randy Bush wrote:
o being put on a major DNS black list (spamcop, spamhaus, ahbl etc.)o hosting malware or phishing sites, open proxies o sending LOTS of SPAM, virus o IRC abuse o Botnet C&C o hoping glue/fast flux o abusive, vulnerable web serversSome of those are clearly ludicrous to count as "incidents" at alloh? which? i can see some not being clearly incidents, but rather operational states, e.g. a vulnerable server/service. but ludicrous?
Well, the data sources that have a significant false positive rate are going to count many things as "incidents" that are anything but. If sending closed-loop, opt-in email is considered equivalent to hosting a botnet command and control network... the data is meaningless. In the hope of not pulling the blacklist trolls out of the woodwork I'm not going to be more specific as to which of those data sources have noticeable false positive issues, but I'm sure you get my point. Cheers, Steve
Current thread:
- Re: advise on network security report, (continued)
- Re: advise on network security report Jim Popovitch (Oct 30)
- Re: advise on network security report Rick Wesson (Oct 31)
- Re: advise on network security report Roland Dobbins (Oct 31)
- Re: advise on network security report Chris L. Morrow (Oct 31)
- RE: advise on network security report Barry Greene (bgreene) (Oct 31)
- Re: advise on network security report Rick Wesson (Oct 31)
- Re: advise on network security report Fergie (Oct 30)
- Re: advise on network security report Rick Wesson (Oct 30)
- Re: advise on network security report Steve Atkins (Oct 30)
- Re: advise on network security report Randy Bush (Oct 30)
- Re: advise on network security report Steve Atkins (Oct 30)
- Re: advise on network security report Rick Wesson (Oct 30)