[Snort-users] Finding contact addresses
agent33 at ...187...
Thu Jan 25 10:28:37 EST 2001
Since getting people to volentarily create an abuse at ...1208... email address
doesn't seem to be working, I doubt getting people to create a webpage with
this information would work either. Check out the work at
http://www.abuse.net, they are trying to create a database of abuse
> -----Original Message-----
> From: Andrew Daviel [mailto:andrew at ...523...]
> Sent: Thursday, January 25, 2001 2:38 AM
> To: Snort Users
> Subject: [Snort-users] Finding contact addresses
> I was thinking about writing an IE draft along the lines
> of RFC 2142 (e.g. http://www.alternic.org/rfcs/rfc2100/rfc2142.txt)
> for providing contact addresses in a domain. In fact I did start
> writing it in an idle moment, but I'm not sure now whether it's
> worth doing.
> The idea is, in the event of getting a scan or attack from some
> ip address, to be able to easily find a phone number and email address
> of someone responsible for the machine. RFC 2142 recommends
> providing security at ...1204... and abuse at ...1204..., which has email covered
> but not phone numbers.
> In the old days (well, the late 80's - mid 90's) one could do
> a reverse
> lookup then run whois on internic (finger was good, too). Now, there's
> multiple registrars for TLDs, more TLDs, more use of 2-letter
> TLDs like
> .tv and .nu so that whois is not always so easy.
> I was going to suggest using a host "abuse.xxx.org" as a website
> in domain xxx.org with contact information, maybe in XML or
> some parsable
> format, instead of having to drill down various "home page",
> "contact us"
> etc. pages or trying to find the proper whois server. One
> might provide
> some separate handler for automated reports; I think someone at SANS
> is working on a common reporting format.
> Then I remembered that half the time ip's don't resolve, so one
> has to go through ARIN etc. and in the case of hosting companies that
> you still haven't found the owner of the machine anyhow. So maybe
> it's all pretty futile and we just try and encourage people to set up
> whois or rwhois servers, as Exodus does. Hmm, there's even a
> though I'm not sure if it's working.
> Comments ?
> Andrew Daviel, TRIUMF, Canada
> security at ...524...
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users