[Snort-users] You caught them, what next?
mkettler at ...4108...
Wed Apr 2 12:20:44 EST 2003
Well, first, unless you've got evidence of actual malicious intent, an
exploitation attempt, or actual damages to your service quality, I'd not
waste your time writing letters.
Sure, doing a NMAP fingerprint is a bit rude, but unless you can show they
are somehow degrading your network by doing it too heavily, or are about to
launch an exploit attempt, there's nothing that's actually against the ToS
of most ISPs about doing it.
IMHO, there really should not be a blanket prohibition of fingerprinting
unless it somehow interferes with the network probed. After all, it's
perfectly legitimate to do a NMAP OS fingerprint of a couple of sites as
part of an academic research paper on TCP/IP stack deployments. That said,
it's up to the operator of the scan to ensure that the methods won't
interfere with the target servers or their networks, and if it does, said
operator should be responsible for any disruption he or she causes.
When it comes to the level of prohibition and disconnecting users, there
really needs to be some evidence that this is of a malicious nature, or
causes some kind of damage/degradation. Pure research is a valid thing on
the internet. If you don't want to be a part of that research, firewall em.
Personally, I view this as similar to calling the local police department
complaining just because someone that doesn't live on your street drove
down and took a few photos of a house on your block.. he could be a real
estate agent or news reporter after all, and the police have better things
to do with their time than answer overly paranoid hunches with no hint or
evidence that he's got any form of criminal intent, did no actual damage to
the property, nor violated any laws.
At 09:57 AM 4/2/2003 -0800, Tobias Rice wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Good morning to you all!
>I hope that this isn't getting too far off topic, but since we all have
>this wonderful IDS in place, I'm sure you too are finding lots of people
>doing things they shouldn't. Which brings me to my question, what now?
>Other than blocking them at the router, what action should be taken? I
>often email the isp's technical contact telling them what I found and for
>them to put an end to it. But is this useful? I've never gotten an email
>back, and I've sent plenty, which leads me to believe that no action has
>been taken, it went to the wrong person, or my email (which are pretty
>curt, see example) has offended the RP and was discarded. What are you all
>doing about your alerts?
>To Whom It May Concern:
>One of your customers, 184.108.40.206 (host18.fastdial.net), made 69
>attempts to fingerprint my network via NMAP on 2003-04-02 03:43:39
>Pacific. Please see to it that this stops immediately. Thank you for your
>Thanks in advance!
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 8.0
>-----END PGP SIGNATURE-----
>This SF.net email is sponsored by: ValueWeb:
>Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
>No other company gives more support or power for your dedicated server
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users