Snort mailing list archives
Re: cultural questions from a newbie
From: Ricky Charlet <rcharlet () speakeasy net>
Date: Thu, 7 Aug 2003 11:56:16 -0700
OK,The feedback I have is: No, there is no current established netiquette for handling sending feedback to attacking systems whom you suspect are run by unwitting admins. And further more there is no reliable channel to give the feedback. And further more, most of these unwitting admins would not comprehend the feedback.
I do not believe or accept the last line above. I think a great many people who have bothered to install a server on their system would be able to follow directions on a vendors webpage about how to install patches and follow directions on another vendor's webpage about how to update virus definitions. And a great many more would be able to ask a friend how to do it.
As for the reliable feedback channel problem, we need something new. A new tcp port and server for "please stop attacking me" messages. This new communication channel needs to have a reliable server (always on) listening for messages, needs to be spam proofed, and needs to be moderately trusted. This could be done. I'm posting a "what do you think" question on this topic to slashdot. And I'm asking this list, "What do you think?" I think the internet can be made a better place.
--- Ricky Charlet rcharlet () alumni calpoly edu 510.324.3163 On Wednesday, August 6, 2003, at 06:39 AM, Erek Adams wrote:
On Tue, 5 Aug 2003, Ricky Charlet wrote:OK, I've had snort snorting on my system for about 4 days now. (by the way, count this as a success report on Mac OSX 10.2.6 with snort 2.0.0,clean compile and install - no problems).Schweet! :)So WOW! What a lot of attempted attacks there are! Yesterday alone I have 14 attempted attacks and 24 attempted scans. For the 4 days the attacks have been overwhelmingly aimed at MS-SQL server and MS-ISS-ISAPI. The Rule descriptions (SIDs=2003 and 1243) say that the worms "Slammer" and "Code Rode" (respectively) used these vulnerabilities to propagate.Welcome to our world. :) It's kinda like having a pair of really, reallydark shades removed....So my initial (newbie) assessment is that there are many unpatched, infected systems out there. I would guess that most of the infectedsystems are run by sys-admins who want to be white-hat guys or gals butare simply unaware that they have an infection.Errrr... I think you're giving them too much credit. For the most part,your "normal" user has no concept of Security, patching, advisories,vendor notices, or anything along those lines. It's the "turn it on, and it works" mentality. We've been clicked and dragged into a point-n-droolgeneration courtesy of <insert Microsoft bash here>.My big question is: what can be done to help the admins of these infected systems?Install OpenBSD on them. ;-)Because these attacks are against MS systems, sending an email toroot@<IP_ADDRESS> is very unlikely to reach anyone. It seems to me that we would need the cooperation of each ISP to get a message to the ownersof the infected systems. But sending a email to abuse@<ISP> seems a little extreme. Is there any current netequite in the snort community relating to how to get in touch with attacking systems under the assumption that the sysadmin would correct the infection if made aware of it?Honestly, there's not too much you can do. You could look up the contacts for the domain and make a phone call, but that has limited success. Emailis almost useless for the majority of those. If it's coming from aDSL/Cable modem.... Just forget it. No one will care or even understandwhat you are telling them--And you'd never get to the end user anyway. :-/ Yeah, it sucks. That's the sad part about becoming "clueful" andunderstanding what's going on--You see so much of the failures of others,you start to wonder "Why did I even do this?" Cheers! (And yes, I'm feeling a bit cynical this morning....) ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- cultural questions from a newbie Ricky Charlet (Aug 05)
- Re: cultural questions from a newbie Erek Adams (Aug 06)
- Re: cultural questions from a newbie Ricky Charlet (Aug 07)
- <Possible follow-ups>
- FW: cultural questions from a newbie support (Aug 05)
- Re: cultural questions from a newbie JP Vossen (Aug 07)
- Re: cultural questions from a newbie Ricky Charlet (Aug 07)
- Re: cultural questions from a newbie Erek Adams (Aug 06)