OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrew Daviel (andrewandrew.triumf.ca)
Date: Tue Jun 19 2001 - 14:18:17 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Mon, 18 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:

    > Hello,
    >
    > I am looking for a utility to use with Snort (running on Linux) similar to
    > the "Getcontact" utility seen on snort.org. It would be nice to be able to
    > automatically lookup contacts for the different ISPs and send out emails
    > when certain attacks occur. Does anyone have a script they could share that
    > could do this?

    My reporter script (the subject of some criticism for one false alert :-7)
    has a contact lookup module.
    Like most of my stuff, it's ugly Perl (what do you expect from an
    ex-FORTRAN programmer). http://andrew.triumf.ca/pub/security/reporter/

    The contact lookup algorithm keeps evolving. Currently, it works like
    this:

    Try to resolve the ip with DNS
    Failing that, try to get an Apache error message. Failing that, a sendmail
    banner (many APNIC sites don't resolve)
    Work along the name looking for an MX record.
    Look up the org. in a private database.
    Look up the org at whois.abuse.net
    Try mailing to "abuse" anyhow, and watch for a bounce.
    If it doesn't resolve,
    dig through whois records starting at whois.arin.net.
    Mail to "abuse" if it exists in the whois record.
    If the technical contact address seems to match the netblock, as it does
    for major ISPs & orgs, try mailing "abuseorg".
    Otherwise, mail any email address found in the record, except if
    it's IANA, meaning it's a private netblock and I didn't notice.
    Try not to mail people like "nicapnic.net" if I can help it.

    dshield.org is doing something similar with aggregate records. They cache
    whois contacts and store them in a database. There's an SQL dump on the
    web. Abuse.net is really for spam complaints but I've started
    using their database for resolved names except where I know a more
    appropriate one, e.g. "security-nonverboseuu.net" or whatever.

    As has been pointed out to me, an automated reporter is vulnerable to
    scans with spoofed source addresses as an attack on the credibility
    of the reporter. (Maybe I need a "credible limit" of total scans/hour) 

    -- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
securitytriumf.ca

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users