Pursuant to my previous post, I just rec'd this. Not exactly the same, but
very similar.
Kind of my point; SO WHAT THAT THIS PERSON WAS SCANNED? Is scanning
actually an illegal activity? Was anything actually hacked, cracked, or
0wn3d?
It's an absurd waste of resources to be emailed by automagic systems every
time someone sends a stray packet.
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben --
-- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Kind of my point; SO WHAT THAT THIS PERSON WAS SCANNED? Is scanning
actually an illegal activity? Was anything actually hacked, cracked, or
0wn3d?
Nope, it's not illegal (yet). But it might be suspicious...
It's an absurd waste of resources to be emailed by automagic systems every
time someone sends a stray packet.
Well, there's stray packets and there's stray packets...
Source: 209.123.x.229
Destination: Host-x.x.19.254
Date: 26Oct2001
Time: 4:50:23 (Local Calgary Time GMT-7)
Service/Protocol: http
This could be suspicious *if* and *only if* Host-x.x.19.254 is known to
not be an http server. It may be totally innocuous - I've been known
to put http:// instead of ftp:// in a URL more than once myself.
Might be a user error at your site. Might be a misconfig at your site.
Might be a malicious user at your site. They don't know, and they can't
tell.
Because we view this activity as possible intent to breach security, we
ask you to review your logs and take appropriate action against the
offending party responsible for this suspicious activity.
And they're correct - it *could* be. All they're asking is that you check
it out as per your procedures. If your procedures include hitting the big
button labeled "refile in trash", that's your decision. 
We send a lot of similar notes of our own (though usually it takes more than
one stray packet to get our attention), and we receive a lot of similar notes
about our users (goes with the territory, we're a large university). We
do what we feel is proper in response (any 'first report' we get that involves
our NTP servers gets an FAQ sent back, we don't often hear back again).
And we're happy to get the reports - we've had more than one incident where
we didn't know we had a problem until we had *multiple* sites reporting that
the *same* box at our site was poking their stuff....
At least that one is relatively _polite_; we've received some from someone who was very rude and threatened to break into our systems to retaliate. Actually, I think it even hinted that the retaliation system was automated... not exactly the most comforting thing out there.
Vivien
I suppose if you see someone looking into the windows of your home and
hear them twisting the doorknobs you don't mind either, you just ignore
him and go about your business. After all, they didnt actually break in
did they? So, no worries.
-Dan
Blasphemy.
There is quite a difference, even in analogy, of some pinging/port
scanning, and someone twisting my doorknobs.
If you can't see it, you won't.
I think that Alex's point is that if you want to *really* have a secure
network, you can't do it by sending out automated mails every time a stray
packet hits your network. That's likely to cause way more annoyance than any
good it could possibly do.
A much more effective way of proceeding would be to have a person looking at
each and every incident, deciding whether it merits a notice to the offending
network, and then sending a personal, non-threatening mail.
--Adam
Now I think that might be a bit much.. but you are right.. Sending out
e-mails like this is rather annoying. Instead of reporting every little
http request, maybe filter it so that only very suspicious ports are
reported?
Not that they're here to hear advice, but it's the thought that counts.
Pinging is not analogous to twisting doorknobs, I think of it more like
driving past your house - "yep, there's a house there." NMAP scans are
more like twisting doorknobs to me.
-C
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The problem with automated notifications to IDS alerts is that they are
justified with faulty reasoning.
1. I get too many security alerts, and notifying the responsibile parties
takes too much of my time.
2. Most notifications are the same thing, only the addresses and timestamps
are different.
3. I'll automate the notifications to save me time.
.... few days later ....
4. Damn! My inbox is overflowing with people responding to my automated
notifications! It's taking too much time to answer them all.
He should have stopped at #1, first phrase: "I get too many security
alerts." Well dude, configure your IDS properly. Not every spark grows to
be a four alarm fire.
:The problem with automated notifications to IDS alerts is that they are
:justified with faulty reasoning.
:
:He should have stopped at #1, first phrase: "I get too many security
:alerts." Well dude, configure your IDS properly. Not every spark grows to
:be a four alarm fire.
My advice regarding IDS's is that it is ridiculous to have an IDS do anything
other than alert the human responsible for that sensor, as it is
either ineffectual or dangerous to have any other automated system reliably
act upon the information IDS's provide, in their current form.
This includes strikeback, attacker notification, or any contingencies.
As an IDS collects security information, it should not have access to
perform any action other than to store, and take steps to preserve the
integrity of that information. In any reasonable security policy where
separation of duties is enforced, a sensor shouldn't be trusted to
interprate the information it collects beyond the initial alert.
I think it's irresponsible of some of the home firewall vendors to
incorporate this into their products, as I can just imagine a ddos
mail attack, where you spoof couple of packets from the network you
want to damage, and thousands of idiot scripts send mail to the
arin contact information. This may sound irate, but seriously,
I think handing users these tools with no explanation is half-assed.
Though if they used a common XML alert format and could be sent to
a single site for processing (a la aris.securityfocus), that might
be a little more sensible.
It doesn't make sense to equip users with an automated incident
reporting tool with nobody to report to.
My 1.26904 cents after exchange.