[Snort-users] Win* machines - port 139 scans

John A. Bornt greywolf at ...541...
Mon Oct 2 00:44:57 EDT 2000


Well, given that Bellsouth only spans two timezones that I know of; and that
interpreting an FQDN for one's own subnets should be a no-brainer, I would
think that they would be able to figure out how to extract the identity
(i.e. username and phone number) of a user given the FQDN and timestamp. It
might take a phone call or two between offices, but hey, they are a telco
too.

To illustrate (taking some examples from Lance's capture):

adsl-78-193-159.mia.bellsouth.net       21Sep2000       20:29:32
nbsession
>>could this mean an adsl connection out of a Miami access server?

or

adsl-79-140-75.atl.bellsouth.net        22Sep2000       6:08:14
nbsession
>>could this be one out of Atlanta?

Perhaps I'm oversimplifying, but given the amount of money that is paid for
access I would think that the people at bellsouth could provide a little
better service. Further, if I provide information on my location
geographically by city and state, how hard is it to extrapolate my timezone.
If it isn't obvious, then there are numerous places (like maps) to look it
up.

Not one other ISP that I reported such activity to requested such
information. It was, imho, a stall tactic. Sort of like, we hear you, and we
feel your pain, but we've got better things to do. So, in the end it's not
that it was too much to send "EST", but simply that I expected better from
an upstream provider, especially one as large as BellSouth.

Regards,

John




More information about the Snort-users mailing list