On 30 Sep 2001, Franck Martin wrote:
If there was some kind of standard, it would help fighting worms by
informing IP owners that some machines have been infected. It would also
help all Intrusion detection System to inform system administrator of
potential attacks with a detailed report...
There are some more advanced whois clients which have more knowledge on
where to query and how, e.g. http://freshmeat.net/projects/whois/.
That doesn't say, of course, that there wouldn't be any benefits from
"standardization"...
On the IDS front, I would not like to make the reporting too easy. I'm
completely fed up with "Top Notch IDS Products" returning "alarms" on e.g.
the following:
- users running traceroute, on incomoing icmp time exceeded messages
triggering an icmp flood "detection"
- using a public ftp server, thus generating an ident query
- using an smtp server, -""-
- etc.
Most of times, these reports are sent by people who have no idea what is
going on at all. Spamming operators with these kind of alarms shouldn't
be encouraged.
(b.t.w: is there a web page somewhere which lists and gives
reasons/pointers to usual "false alarms" like listed above? It might be
useful as a pointer).
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords