[Snort-users] You caught them, what next?

Gordon Cunningham gcunnin2 at ...163...
Wed Apr 2 13:23:01 EST 2003


Matt, et al,

I agree with your points, though I have written emails and provided info for
my ISP to track down issues and correct them from virus-laden systems that
continually attack my systems.  Most of the time you get an auto-reply email
and you never hear back from the ISP, but sometimes you do see the offending
system get cleaned up a couple days later.

However, this is the middle ground here -  I believe the conscientious ISP
would do well to pay attention to virus- and worm-spewing systems without
(apparently) the owner's knowledge of the issue or problem.  If I see a Code
Red-infected system (which of course I can pick up with snort or my web
server logs), and I don't have info as to the owner of the system, wouldn't
it be a "good netizen" task to notify the ISP, who has the records of who
that node belongs to, and allow them to contact the owner to inform them of
the issue, maybe even help correct it?  Maybe this shouldn't be an
abuse at ...8759... mail address - maybe we should lobby for another address
(keepclean at ...8759...) that have people to handle this type of situation?
Assuming everyone is patched against the attack, that spewing system still
hurts everyone in terms of bandwidth consumption.

- Gordon

 -----Original Message-----
From: 	snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]  On Behalf Of Matt Kettler
Sent:	Wednesday, April 02, 2003 3:13 PM
To:	Tobias Rice; 'snort-users'
Subject:	Re: [Snort-users] You caught them, what next?

Well, first, unless you've got evidence of actual malicious intent, an
exploitation attempt, or actual damages to your service quality, I'd not
waste your time writing letters.

Sure, doing a NMAP fingerprint is a bit rude, but unless you can show they
are somehow degrading your network by doing it too heavily, or are about to
launch an exploit attempt, there's nothing that's actually against the ToS
of most ISPs about doing it.

IMHO, there really should not be a blanket prohibition of fingerprinting
unless it somehow interferes with the network probed. After all, it's
perfectly legitimate to do a NMAP OS fingerprint of a couple of sites as
part of an academic research paper on TCP/IP stack deployments. That said,
it's up to the operator of the scan to ensure that the methods won't
interfere with the target servers or their networks, and if it does, said
operator should be responsible for any disruption he or she causes.

When it comes to the level of prohibition and disconnecting users, there
really needs to be some evidence that this is of a malicious nature, or
causes some kind of damage/degradation. Pure research is a valid thing on
the internet. If you don't want to be a part of that research, firewall em.

Personally, I view this as similar to calling the local police department
complaining just because someone that doesn't live on your street drove
down and took a few photos of a house on your block.. he could be a real
estate agent or news reporter after all, and the police have better things
to do with their time than answer overly paranoid hunches with no hint or
evidence that he's got any form of criminal intent, did no actual damage to
the property, nor violated any laws.

At 09:57 AM 4/2/2003 -0800, Tobias Rice wrote:
>Hash: SHA1
>Good morning to you all!
>I hope that this isn't getting too far off topic, but since we all have
>this wonderful IDS in place, I'm sure you too are finding lots of people
>doing things they shouldn't. Which brings me to my question, what now?
>Other than blocking them at the router, what action should be taken? I
>often email the isp's technical contact telling them what I found and for
>them to put an end to it. But is this useful? I've never gotten an email
>back, and I've sent plenty, which leads me to believe that no action has
>been taken, it went to the wrong person, or my email (which are pretty
>curt, see example) has offended the RP and was discarded. What are you all
>doing about your alerts?
>[example email.]
>To Whom It May Concern:
>One of your customers, (host18.fastdial.net), made 69
>attempts to fingerprint my network via NMAP on 2003-04-02 03:43:39
>Pacific. Please see to it that this stops immediately. Thank you for your
>[/example email...]
>Thanks in advance!
>Version: PGP 8.0
>This SF.net email is sponsored by: ValueWeb:
>Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
>No other company gives more support or power for your dedicated server
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list