[Snort-users] Action Recommendations

twig les twigles at ...131...
Mon Oct 28 10:32:05 EST 2002


I worked at an ISP that blocked offending IPs at the
border.  It was an insane policy and resulted in Cisco
7500s with 99% CPU utilization because the acls were
6,000-10,000 lines each.  I wouldn't go down that road
unless the attacking IP/range is particularly nasty.


--- Justin Jessup <jaager7 at ...741...> wrote:
> i believe SANS has such a database setup, with the
> most frequent abusive IP addresses listed
> 
> 
> jj
> 
> Steve Suehring <snort at ...7160...> wrote:
> __________
> >On Sun, Oct 27, 2002 at 01:20:04PM -0500, Jarret
> Gibson wrote: 
> >>    - Should I bother with reporting these
> security problems to the 
> >>    offending person's ISP / office?  I've heard
> most of you say that 
> >>    people rarely (if ever) do anything about the
> script kiddies / hackers 
> >>    when you report them. 
> > 
> >I can't so much speak to the other questions in the
> email, but as far as  
> >reporting goes, it depends on a few factors.   
> > 
> >I've found that three major factors come into play
> when reporting:  Which  
> >ISP owns the IP space, what you're reporting, what
> you include in the  
> >report. 
> > 
> >First and foremost, it is unfortunate to say that
> it depends on which ISP 
> >you report the activity to.  It appears that some
> ISPs absolutely don't 
> >care what happens within their IP space.  This is
> the direct result of the 
> >abuse department not having enough resources and in
> some cases not having 
> >a clue.  I've found *and this is just my opinion*
> that cable companies and  
> >telephone companies that now sell Internet are many
> times lacking in both.   
> > 
> >Secondly, what you're reporting is also important. 
> The abuse department  
> >receives massive amounts of email.  If you're
> reporting a simple 'wrong  
> >number' type scan where someone typed in the wrong
> IP, they're likely to  
> >not pursue it.  Again, this goes back to the abuse
> department not having  
> >enough resources. 
> > 
> >Finally, what you include in the report is also
> important.  I've seen a 
> >number of reports come in from people all over
> claiming that a customer 
> >was doing something.  In fact, sometimes the report
> would say just that 
> >"one of your customers is doing something to my web
> server, stop now!"   
> >Obviously, there's lots we could do with a report
> like that.  :)  If you 
> >include information such as logfiles, timezone, why
> exactly this was bad 
> >or indicative of abuse, etc, your report would have
> a better chance of 
> >being investigated.  This somewhat ties in with the
> abuse department not  
> >having a clue and not having resources. 
> > 
> >Again, the ISP is the biggest factor in the
> process.  Some ISPs are great  
> >at slapping users, others seem to have a blackhole
> abuse mailbox.   
> > 
> >One idea (that someone else has already had, I'm
> sure) would be to set up 
> >centralized site that contained an abuse reports
> database.  You could then 
> >grab the list sorted by the top 10 subnets that the
> hijinx originates from 
> >and block 'em.  Part of the databse could contain
> whether or not the 
> >activity was reported to the ISP and what they did
> about it.  Correlating 
> >that information it would become evident which ISPs
> are attempting to do 
> >something about abuse from their IP space.  If this
> isn't out there 
> >already and there is some interest, I'd be willing
> to look into it 
> >further. I thought I saw something like this on ISS
> or SANS or someone, I 
> >can't remember. 
> > 
> >Anyway, hope that helps to give you an idea on
> reporting things. 
> > 
> >Steve 
> > 
> > 
>
>-------------------------------------------------------
> 
> >This SF.net email is sponsored by: ApacheCon,
> November 18-21 in 
> >Las Vegas (supported by COMDEX), the only Apache
> event to be 
> >fully supported by the ASF.
> http://www.apachecon.com 
> >_______________________________________________ 
> >Snort-users mailing list 
> >Snort-users at lists.sourceforge.net 
> >Go to this URL to change user options or
> unsubscribe: 
>
>https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> >Snort-users list archive: 
>
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> 
>
-------------------------------------------------------
> This SF.net email is sponsored by: ApacheCon,
> November 18-21 in
> Las Vegas (supported by COMDEX), the only Apache
> event to be
> fully supported by the ASF. http://www.apachecon.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/




More information about the Snort-users mailing list