[Snort-users] getcontact utility

Andrew Daviel andrew at ...523...
Tue Jun 19 15:18:17 EDT 2001


On Mon, 18 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:

> Hello,
>
> I am looking for a utility to use with Snort (running on Linux) similar to
> the "Getcontact" utility seen on snort.org. It would be nice to be able to
> automatically lookup contacts for the different ISPs and send out emails
> when certain attacks occur. Does anyone have a script they could share that
> could do this?

My reporter script (the subject of some criticism for one false alert :-7)
has a contact lookup module.
Like most of my stuff, it's ugly Perl (what do you expect from an
ex-FORTRAN programmer). http://andrew.triumf.ca/pub/security/reporter/

The contact lookup algorithm keeps evolving. Currently, it works like
this:

Try to resolve the ip with DNS
Failing that, try to get an Apache error message. Failing that, a sendmail
banner  (many APNIC sites don't resolve)
Work along the name looking for an MX record.
Look up the org. in a private database.
Look up the org at whois.abuse.net
Try mailing to "abuse" anyhow, and watch for a bounce.
If it doesn't resolve,
dig through whois records starting at whois.arin.net.
Mail to "abuse" if it exists in the whois record.
If the technical contact address seems to match  the netblock, as it does
for major ISPs & orgs, try mailing "abuse at ...2334...".
Otherwise, mail any email address found in the record, except if
it's IANA, meaning it's a private netblock and I didn't notice.
Try not to mail people like "nic at ...2335..." if I can help it.

dshield.org is doing something similar with aggregate records. They cache
whois contacts and store them in a database. There's an SQL dump on the
web. Abuse.net is really for spam complaints but I've started
using their database for resolved names except where I know a more
appropriate one, e.g. "security-nonverbose at ...2336..." or whatever.

As has been pointed out to me, an automated reporter is vulnerable to
scans with spoofed source addresses as an attack on the credibility
of the reporter. (Maybe I need a "credible limit" of total scans/hour)

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...






More information about the Snort-users mailing list