[Snort-users] Finding contact addresses

Andrew Daviel andrew at ...523...
Thu Jan 25 03:38:29 EST 2001


I was thinking about writing an IE draft along the lines
of RFC 2142 (e.g. http://www.alternic.org/rfcs/rfc2100/rfc2142.txt)
for providing contact addresses in a domain. In fact I did start
writing it in an idle moment, but I'm not sure now whether it's
worth doing.

The idea is, in the event of getting a scan or attack from some
ip address, to be able to easily find a phone number and email address
of someone responsible for the machine. RFC 2142 recommends
providing security at ...1204... and abuse at ...1204..., which has email covered
but not phone numbers.

In the old days (well, the late 80's - mid 90's) one could do a reverse
lookup then run whois on internic (finger was good, too). Now, there's
multiple registrars for TLDs, more TLDs, more use of 2-letter TLDs like
.tv and .nu so that whois is not always so easy.

I was going to suggest using a host "abuse.xxx.org" as a website
in domain xxx.org with contact information, maybe in XML or some parsable
format, instead of having to drill down various "home page", "contact us"
etc. pages or trying to find the proper whois server. One might provide
some separate handler for automated reports; I think someone at SANS
is working on a common reporting format.

Then I remembered that half the time ip's don't resolve, so one
has to go through ARIN etc. and in the case of hosting companies that
you still haven't found the owner of the machine anyhow. So maybe
it's all pretty futile and we just try and encourage people to set up
whois or rwhois servers, as Exodus does.  Hmm, there's even a "rwhois.tv"
though I'm not sure if it's working.

Comments ?

-- 
Andrew Daviel, TRIUMF, Canada
security at ...524...





More information about the Snort-users mailing list