Snort mailing list archives

Re: Action Recommendations

From: Glenn Forbes Fleming Larratt <glratt () rice edu>
Date: Thu, 31 Oct 2002 10:02:46 -0600 (CST)

Ditto. We determined empirically that:

        - if you need an IDS, run an IDS; if you need a firewall, run a 
        firewall. Your border router is a router, and you'll kill
        your border performance incrementally by making it do work for
        which it's not optimized or even really designed.

        - Steve has noted (paraphrased) that "it depends mostly on the
        ISP"; I would second that, and note that in our experience of
        supplying detailed logs, timezone, all the goodies, that
        95-98% of our complaints fell on deaf ears (the most common 
        results of our e-mail notifications were: no response; mailbounce
        for no such address [mind you, we send to the registered point 
        of contact]; mailbounce for quota violations [this was
        frequently the case with 'security@' addresses]).

        - we have recently revamped our procedures, noting the amount
        of time we were spending on fruitless pursuits, such that the
        circumstances in which we actually block a remote network are
        much more rare. Jury's still out on whether this is a viable 
        approach, from the standpooint of resources committed for
        results achieved.

                -g

On Mon, 28 Oct 2002, twig les wrote:

Date: Mon, 28 Oct 2002 10:31:30 -0800 (PST)
From: twig les <twigles () yahoo com>
To: Justin Jessup <jaager7 () earthlink net>, snort () braingia org,
     jarret () osa comax com
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Action Recommendations

I worked at an ISP that blocked offending IPs at the
border.  It was an insane policy and resulted in Cisco
7500s with 99% CPU utilization because the acls were
6,000-10,000 lines each.  I wouldn't go down that road
unless the attacking IP/range is particularly nasty.

--- Justin Jessup <jaager7 () earthlink net> wrote:

i believe SANS has such a database setup, with the
most frequent abusive IP addresses listed


jj

Steve Suehring <snort () braingia org> wrote:
__________

On Sun, Oct 27, 2002 at 01:20:04PM -0500, Jarret

Gibson wrote:

   - Should I bother with reporting these

security problems to the

   offending person's ISP / office?  I've heard

most of you say that

   people rarely (if ever) do anything about the

script kiddies / hackers

   when you report them.


I can't so much speak to the other questions in the

email, but as far as

reporting goes, it depends on a few factors.   

I've found that three major factors come into play

when reporting:  Which

ISP owns the IP space, what you're reporting, what

you include in the

report. 

First and foremost, it is unfortunate to say that

it depends on which ISP

you report the activity to.  It appears that some

ISPs absolutely don't

care what happens within their IP space.  This is

the direct result of the

abuse department not having enough resources and in

some cases not having

a clue.  I've found *and this is just my opinion*

that cable companies and

telephone companies that now sell Internet are many

times lacking in both.


Secondly, what you're reporting is also important.

The abuse department

receives massive amounts of email.  If you're

reporting a simple 'wrong

number' type scan where someone typed in the wrong

IP, they're likely to

not pursue it.  Again, this goes back to the abuse

department not having

enough resources. 

Finally, what you include in the report is also

important.  I've seen a

number of reports come in from people all over

claiming that a customer

was doing something.  In fact, sometimes the report

would say just that

"one of your customers is doing something to my web

server, stop now!"

Obviously, there's lots we could do with a report

like that.  :)  If you

include information such as logfiles, timezone, why

exactly this was bad

or indicative of abuse, etc, your report would have

a better chance of

being investigated.  This somewhat ties in with the

abuse department not

having a clue and not having resources. 

Again, the ISP is the biggest factor in the

process.  Some ISPs are great

at slapping users, others seem to have a blackhole

abuse mailbox.


One idea (that someone else has already had, I'm

sure) would be to set up

centralized site that contained an abuse reports

database.  You could then

grab the list sorted by the top 10 subnets that the

hijinx originates from

and block 'em.  Part of the databse could contain

whether or not the

activity was reported to the ISP and what they did

about it.  Correlating

that information it would become evident which ISPs

are attempting to do

something about abuse from their IP space.  If this

isn't out there

already and there is some interest, I'd be willing

to look into it

further. I thought I saw something like this on ISS

or SANS or someone, I

can't remember. 

Anyway, hope that helps to give you an idea on

reporting things.


Steve


-------------------------------------------------------

This SF.net email is sponsored by: ApacheCon,

November 18-21 in

Las Vegas (supported by COMDEX), the only Apache

event to be

fully supported by the ASF.

http://www.apachecon.com

_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or

unsubscribe: 

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------

This SF.net email is sponsored by: ApacheCon,
November 18-21 in
Las Vegas (supported by COMDEX), the only Apache
event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


                                Glenn Forbes Fleming Larratt
                                Rice University Network Management 
                                glratt () rice edu



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Action Recommendations Jarret Gibson (Oct 27)
- Re: Action Recommendations Steve Suehring (Oct 27)
- <Possible follow-ups>
- Re: Action Recommendations Justin Jessup (Oct 27)
  - Re: Action Recommendations twig les (Oct 28)
    - Re: Action Recommendations Glenn Forbes Fleming Larratt (Oct 31)
    - Tell the ISP- it will create change Gregory W. Ratcliff (Nov 03)
- Re: Action Recommendations Margles Singleton (Nov 11)