Hello,
Have you heard of mynetwatchman? Check out www.mynetwatchman.com. Lawrence
Baldwin collects attack info from agents all over the world (currently
approximately 1000) and uses it to generate warnings to ISPs and others
responsible for the source of possible
attacks. The software is also capable of generating a "watch list" of probable
bad IP's. This list currently holds about 38000 IP addresses. It has been
as high as 80000. We use it to automatically maintain firewall rules for
shunning (as you say) known compromised or malicious computers.
Ragnar Paulson
The Software Group Limited
----- Original Message -----
From: "Kirby Angell" <kangell@alertra.com>
To: "Incidents List" <incidents@securityfocus.com>
Sent: Wednesday, November 03, 2004 6:03 PM
Subject: Maintaining a "watch list"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I would like to figure out a way I can maintain a "watch list" of IPs
that have generated traffic that is suspicious, but not suspicious
enough to warrant being shunned. Ideally I'd like to be notified via
e-mail within a few minutes of the target IP connecting with my network;
no more than once per hour for each IP. My need for this will become
apparent with a post I'll make to this list later tonight.
We monitor all the traffic coming into and out of our production
machines so I have some flexibility here. I've thought of solutions
involving tcpdump, ngrep, and other things. I just wondered what others
did when they have an IP that might turn out to be an attacker, but they
aren't sure yet.
- --
Thank you,
Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBiWPL21unUZAE9MARAh5AAJ9QLvW+uSQcpVplLXXo8E/zWLJFTwCfcbyf
97GyWhZjNOnspd3b7iNB6Gg=
=RWwG
-----END PGP SIGNATURE-----
