Snort mailing list archives

Re: Action Recommendations

From: "Justin Jessup" <jaager7 () earthlink net>
Date: Sun, 27 Oct 2002 23:55:19 +0000 (GMT)

i believe SANS has such a database setup, with the most frequent abusive IP addresses listed


jj

Steve Suehring <snort () braingia org> wrote:
__________

On Sun, Oct 27, 2002 at 01:20:04PM -0500, Jarret Gibson wrote:

   - Should I bother with reporting these security problems to the 
   offending person's ISP / office?  I've heard most of you say that 
   people rarely (if ever) do anything about the script kiddies / hackers 
   when you report them.


I can't so much speak to the other questions in the email, but as far as  
reporting goes, it depends on a few factors.   

I've found that three major factors come into play when reporting:  Which  
ISP owns the IP space, what you're reporting, what you include in the  
report. 

First and foremost, it is unfortunate to say that it depends on which ISP 
you report the activity to.  It appears that some ISPs absolutely don't 
care what happens within their IP space.  This is the direct result of the 
abuse department not having enough resources and in some cases not having 
a clue.  I've found *and this is just my opinion* that cable companies and  
telephone companies that now sell Internet are many times lacking in both.   

Secondly, what you're reporting is also important.  The abuse department  
receives massive amounts of email.  If you're reporting a simple 'wrong  
number' type scan where someone typed in the wrong IP, they're likely to  
not pursue it.  Again, this goes back to the abuse department not having  
enough resources. 

Finally, what you include in the report is also important.  I've seen a 
number of reports come in from people all over claiming that a customer 
was doing something.  In fact, sometimes the report would say just that 
"one of your customers is doing something to my web server, stop now!"   
Obviously, there's lots we could do with a report like that.  :)  If you 
include information such as logfiles, timezone, why exactly this was bad 
or indicative of abuse, etc, your report would have a better chance of 
being investigated.  This somewhat ties in with the abuse department not  
having a clue and not having resources. 

Again, the ISP is the biggest factor in the process.  Some ISPs are great  
at slapping users, others seem to have a blackhole abuse mailbox.   

One idea (that someone else has already had, I'm sure) would be to set up 
centralized site that contained an abuse reports database.  You could then 
grab the list sorted by the top 10 subnets that the hijinx originates from 
and block 'em.  Part of the databse could contain whether or not the 
activity was reported to the ISP and what they did about it.  Correlating 
that information it would become evident which ISPs are attempting to do 
something about abuse from their IP space.  If this isn't out there 
already and there is some interest, I'd be willing to look into it 
further. I thought I saw something like this on ISS or SANS or someone, I 
can't remember. 

Anyway, hope that helps to give you an idea on reporting things. 

Steve 


------------------------------------------------------- 
This SF.net email is sponsored by: ApacheCon, November 18-21 in 
Las Vegas (supported by COMDEX), the only Apache event to be 
fully supported by the ASF. http://www.apachecon.com 
_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Action Recommendations Jarret Gibson (Oct 27)
- Re: Action Recommendations Steve Suehring (Oct 27)
- <Possible follow-ups>
- Re: Action Recommendations Justin Jessup (Oct 27)
  - Re: Action Recommendations twig les (Oct 28)
    - Re: Action Recommendations Glenn Forbes Fleming Larratt (Oct 31)
    - Tell the ISP- it will create change Gregory W. Ratcliff (Nov 03)
- Re: Action Recommendations Margles Singleton (Nov 11)