Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Action Recommendations

From: Steve Suehring <snort () braingia org>
Date: Sun, 27 Oct 2002 15:33:22 -0600
On Sun, Oct 27, 2002 at 01:20:04PM -0500, Jarret Gibson wrote:

   - Should I bother with reporting these security problems to the
   offending person's ISP / office?  I've heard most of you say that
   people rarely (if ever) do anything about the script kiddies / hackers
   when you report them.


I can't so much speak to the other questions in the email, but as far as 
reporting goes, it depends on a few factors.  

I've found that three major factors come into play when reporting:  Which 
ISP owns the IP space, what you're reporting, what you include in the 
report.

First and foremost, it is unfortunate to say that it depends on which ISP
you report the activity to.  It appears that some ISPs absolutely don't
care what happens within their IP space.  This is the direct result of the
abuse department not having enough resources and in some cases not having
a clue.  I've found *and this is just my opinion* that cable companies and 
telephone companies that now sell Internet are many times lacking in both.  

Secondly, what you're reporting is also important.  The abuse department 
receives massive amounts of email.  If you're reporting a simple 'wrong 
number' type scan where someone typed in the wrong IP, they're likely to 
not pursue it.  Again, this goes back to the abuse department not having 
enough resources.

Finally, what you include in the report is also important.  I've seen a
number of reports come in from people all over claiming that a customer
was doing something.  In fact, sometimes the report would say just that
"one of your customers is doing something to my web server, stop now!"  
Obviously, there's lots we could do with a report like that.  :)  If you
include information such as logfiles, timezone, why exactly this was bad
or indicative of abuse, etc, your report would have a better chance of
being investigated.  This somewhat ties in with the abuse department not 
having a clue and not having resources.

Again, the ISP is the biggest factor in the process.  Some ISPs are great 
at slapping users, others seem to have a blackhole abuse mailbox.  

One idea (that someone else has already had, I'm sure) would be to set up
centralized site that contained an abuse reports database.  You could then
grab the list sorted by the top 10 subnets that the hijinx originates from
and block 'em.  Part of the databse could contain whether or not the
activity was reported to the ISP and what they did about it.  Correlating
that information it would become evident which ISPs are attempting to do
something about abuse from their IP space.  If this isn't out there
already and there is some interest, I'd be willing to look into it
further. I thought I saw something like this on ISS or SANS or someone, I
can't remember.

Anyway, hope that helps to give you an idea on reporting things.

Steve


-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: