[Snort-users] You caught them, what next?

Matt Kettler mkettler at ...4108...
Wed Apr 2 12:20:44 EST 2003

Well, first, unless you've got evidence of actual malicious intent, an 
exploitation attempt, or actual damages to your service quality, I'd not 
waste your time writing letters.

Sure, doing a NMAP fingerprint is a bit rude, but unless you can show they 
are somehow degrading your network by doing it too heavily, or are about to 
launch an exploit attempt, there's nothing that's actually against the ToS 
of most ISPs about doing it.

IMHO, there really should not be a blanket prohibition of fingerprinting 
unless it somehow interferes with the network probed. After all, it's 
perfectly legitimate to do a NMAP OS fingerprint of a couple of sites as 
part of an academic research paper on TCP/IP stack deployments. That said, 
it's up to the operator of the scan to ensure that the methods won't 
interfere with the target servers or their networks, and if it does, said 
operator should be responsible for any disruption he or she causes.

When it comes to the level of prohibition and disconnecting users, there 
really needs to be some evidence that this is of a malicious nature, or 
causes some kind of damage/degradation. Pure research is a valid thing on 
the internet. If you don't want to be a part of that research, firewall em.

Personally, I view this as similar to calling the local police department 
complaining just because someone that doesn't live on your street drove 
down and took a few photos of a house on your block.. he could be a real 
estate agent or news reporter after all, and the police have better things 
to do with their time than answer overly paranoid hunches with no hint or 
evidence that he's got any form of criminal intent, did no actual damage to 
the property, nor violated any laws.

At 09:57 AM 4/2/2003 -0800, Tobias Rice wrote:
>Hash: SHA1
>Good morning to you all!
>I hope that this isn't getting too far off topic, but since we all have 
>this wonderful IDS in place, I'm sure you too are finding lots of people 
>doing things they shouldn't. Which brings me to my question, what now?
>Other than blocking them at the router, what action should be taken? I 
>often email the isp's technical contact telling them what I found and for 
>them to put an end to it. But is this useful? I've never gotten an email 
>back, and I've sent plenty, which leads me to believe that no action has 
>been taken, it went to the wrong person, or my email (which are pretty 
>curt, see example) has offended the RP and was discarded. What are you all 
>doing about your alerts?
>[example email.]
>To Whom It May Concern:
>One of your customers, (host18.fastdial.net), made 69 
>attempts to fingerprint my network via NMAP on 2003-04-02 03:43:39 
>Pacific. Please see to it that this stops immediately. Thank you for your 
>[/example email...]
>Thanks in advance!
>Version: PGP 8.0
>This SF.net email is sponsored by: ValueWeb:
>Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
>No other company gives more support or power for your dedicated server
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list