Snort mailing list archives
RE: You caught them, what next?
From: "Gordon Cunningham" <gcunnin2 () bellsouth net>
Date: Wed, 2 Apr 2003 16:13:41 -0500
STILL OFF TOPIC Matt, et al, I agree with your points, though I have written emails and provided info for my ISP to track down issues and correct them from virus-laden systems that continually attack my systems. Most of the time you get an auto-reply email and you never hear back from the ISP, but sometimes you do see the offending system get cleaned up a couple days later. However, this is the middle ground here - I believe the conscientious ISP would do well to pay attention to virus- and worm-spewing systems without (apparently) the owner's knowledge of the issue or problem. If I see a Code Red-infected system (which of course I can pick up with snort or my web server logs), and I don't have info as to the owner of the system, wouldn't it be a "good netizen" task to notify the ISP, who has the records of who that node belongs to, and allow them to contact the owner to inform them of the issue, maybe even help correct it? Maybe this shouldn't be an abuse () myisp com mail address - maybe we should lobby for another address (keepclean () myisp com) that have people to handle this type of situation? Assuming everyone is patched against the attack, that spewing system still hurts everyone in terms of bandwidth consumption. - Gordon -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Matt Kettler Sent: Wednesday, April 02, 2003 3:13 PM To: Tobias Rice; 'snort-users' Subject: Re: [Snort-users] You caught them, what next? Well, first, unless you've got evidence of actual malicious intent, an exploitation attempt, or actual damages to your service quality, I'd not waste your time writing letters. Sure, doing a NMAP fingerprint is a bit rude, but unless you can show they are somehow degrading your network by doing it too heavily, or are about to launch an exploit attempt, there's nothing that's actually against the ToS of most ISPs about doing it. IMHO, there really should not be a blanket prohibition of fingerprinting unless it somehow interferes with the network probed. After all, it's perfectly legitimate to do a NMAP OS fingerprint of a couple of sites as part of an academic research paper on TCP/IP stack deployments. That said, it's up to the operator of the scan to ensure that the methods won't interfere with the target servers or their networks, and if it does, said operator should be responsible for any disruption he or she causes. When it comes to the level of prohibition and disconnecting users, there really needs to be some evidence that this is of a malicious nature, or causes some kind of damage/degradation. Pure research is a valid thing on the internet. If you don't want to be a part of that research, firewall em. Personally, I view this as similar to calling the local police department complaining just because someone that doesn't live on your street drove down and took a few photos of a house on your block.. he could be a real estate agent or news reporter after all, and the police have better things to do with their time than answer overly paranoid hunches with no hint or evidence that he's got any form of criminal intent, did no actual damage to the property, nor violated any laws. At 09:57 AM 4/2/2003 -0800, Tobias Rice wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good morning to you all! I hope that this isn't getting too far off topic, but since we all have this wonderful IDS in place, I'm sure you too are finding lots of people doing things they shouldn't. Which brings me to my question, what now? Other than blocking them at the router, what action should be taken? I often email the isp's technical contact telling them what I found and for them to put an end to it. But is this useful? I've never gotten an email back, and I've sent plenty, which leads me to believe that no action has been taken, it went to the wrong person, or my email (which are pretty curt, see example) has offended the RP and was discarded. What are you all doing about your alerts? [example email.] To Whom It May Concern: One of your customers, 216.243.8.18 (host18.fastdial.net), made 69 attempts to fingerprint my network via NMAP on 2003-04-02 03:43:39 Pacific. Please see to it that this stops immediately. Thank you for your cooperation. [/example email...] Thanks in advance! -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPoskmcNinOuDXR1bEQJxZQCgspaVA+RSZIzeg+hutqOUA/nI1roAn1jS g0POVPrAspbRMNYDs+rJiVnN =9C1U -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- You caught them, what next? Tobias Rice (Apr 02)
- Re: You caught them, what next? Joe Matusiewicz (Apr 02)
- Re: You caught them, what next? Matt Kettler (Apr 02)
- RE: You caught them, what next? Gordon Cunningham (Apr 02)
- Re: You caught them, what next? Michael Boman (Apr 04)
- <Possible follow-ups>
- RE: You caught them, what next? Drew Stockman (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 02)
- RE: You caught them, what next? Brei, Matt (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 02)
- RE: You caught them, what next? FWAdmin (Apr 02)
- RE: You caught them, what next? Brei, Matt (Apr 02)
- Re: You caught them, what next? Jason Haar (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 03)
- RE: You caught them, what next? Erek Adams (Apr 03)
(Thread continues...)