[Snort-users] Win* machines - port 139 scans

Wozz wozz+rt at ...471...
Mon Oct 2 18:21:15 EDT 2000

On Mon, Oct 02, 2000 at 02:24:11AM -0700, H Carvey wrote:
> > Well, given that Bellsouth only spans two timezones
> > that I know of; 
> Again...since you didn't really post enough info to be
> fully clear, I would guess that they were asking for
> _your_ timezone information.  Given that English
> speaking people can now be reached all over the world,
> almost instantaneously via the Internet, it's not hard
> to imagine, I suppose.

Exactly.  Obviously, we're not looking for time zone info for our
customers, we know that based on IP.  We need the timezone of the system
that generated the logs, otherwise, we have no idea what time that will
translate to in our local dhcp logs.  And trying to 'interpret' the
Timezone never works out well.  Many times, the person emailing is sending
in logs from a system in a different time zone, or the domain they are
using is registered in a different time zone, etc, etc, etc.  All you need
to do is include a time zone with your log files and everything will be
fine.  I don't think its too much to ask ;)

> > Perhaps I'm oversimplifying, but given the amount of
> > money that is paid for
> > access I would think that the people at bellsouth
> > could provide a little
> > better service. 
> You'd be surprised...

This isn't a service issue at all.  Now, if you provide them all the
information they need (like the timezone) and THEN they don't do anything,
its a service issue.  Then again, YOU aren't paying Bellsouth.  You're just
some random person who isn't neccesarily paying them a dime.  Again, I can
only speak for my own situation, but as an abuse@ person, I can say that
our customers complaints get priority over external complaints, but no
matter what, all complaints are eventually dealt with.

> > Further, if I provide information on
> > my location
> > geographically by city and state, how hard is it to
> > extrapolate my timezone.
> > If it isn't obvious, then there are numerous places
> > (like maps) to look it
> > up.
> > 

So, you could provide two lines of text to say your city and state, and
then hope they have a timezone map, or you could provide 6 characters
(GMT-/+00) that will give them the information they need.

> > Not one other ISP that I reported such activity to
> > requested such
> > information. It was, imho, a stall tactic. Sort of
> > like, we hear you, and we
> > feel your pain, but we've got better things to do.
> > So, in the end it's not
> > that it was too much to send "EST", but simply that
> > I expected better from
> > an upstream provider, especially one as large as
> > BellSouth.

I'd like someone to explain how BellSouth is supposed to magically know
what timezone the system generating the logs is in?  Is there something you
all know that I don't?

> Well, in the end, it could very well have been a stall
> tactic...who knows.  I guess only the person who
> responded to you will know.  As the security officer
> for a large telecomm, I take legitimate complaints
> seriously...in fact, I've called dial-up customers
> back, personally.  However, I will have to admit that
> I probably do not see all of the "hey, that guy
> scanned me" emails, as they are likely handled
> locally.

I see plenty of those, and if there's not enough information to go on, then
we bounce them back to the complaintants with a note asking for the
information we need.  More often then not, we NEVER get a response back.  

More information about the Snort-users mailing list