[Snort-users] Win* machines - port 139 scans

H Carvey keydet89 at ...131...
Mon Oct 2 05:24:11 EDT 2000


> Well, given that Bellsouth only spans two timezones
> that I know of; 

Again...since you didn't really post enough info to be
fully clear, I would guess that they were asking for
_your_ timezone information.  Given that English
speaking people can now be reached all over the world,
almost instantaneously via the Internet, it's not hard
to imagine, I suppose.

> and that
> interpreting an FQDN for one's own subnets should be
> a no-brainer, I would
> think that they would be able to figure out how to
> extract the identity
> (i.e. username and phone number) of a user given the
> FQDN and timestamp. It
> might take a phone call or two between offices, but
> hey, they are a telco
> too.

Sure...I would agree.  But if you're (you, personally)
in Sydney, Aus., it's going to make a big difference
over you being in Atlanta, Ga.
 
> To illustrate (taking some examples from Lance's
> capture):
> 
> adsl-78-193-159.mia.bellsouth.net       21Sep2000   
>    20:29:32
> nbsession
> >>could this mean an adsl connection out of a Miami
> access server?

Sure...but it's irrelevant, really.  What matters here
is what is in your logs, and what _you_ reported to
the ISP...
 
> Perhaps I'm oversimplifying, but given the amount of
> money that is paid for
> access I would think that the people at bellsouth
> could provide a little
> better service. 

You'd be surprised...

> Further, if I provide information on
> my location
> geographically by city and state, how hard is it to
> extrapolate my timezone.

I have no idea.  It would seem that it was important
enough to them to ask, however.  

> If it isn't obvious, then there are numerous places
> (like maps) to look it
> up.
> 
> Not one other ISP that I reported such activity to
> requested such
> information. It was, imho, a stall tactic. Sort of
> like, we hear you, and we
> feel your pain, but we've got better things to do.
> So, in the end it's not
> that it was too much to send "EST", but simply that
> I expected better from
> an upstream provider, especially one as large as
> BellSouth.

Well, in the end, it could very well have been a stall
tactic...who knows.  I guess only the person who
responded to you will know.  As the security officer
for a large telecomm, I take legitimate complaints
seriously...in fact, I've called dial-up customers
back, personally.  However, I will have to admit that
I probably do not see all of the "hey, that guy
scanned me" emails, as they are likely handled
locally.

K


__________________________________________________
Do You Yahoo!?
Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free!
http://photos.yahoo.com/



More information about the Snort-users mailing list