Just a thought. Automatic respones do have a DoS ring to them. IP Spoofing could make you an unwitting attacker. There are many dangers to automated respones such as the one you are thinking of. What safegaurds are you considering?
>From: JM <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Reacting to IDS alerts >Date: Wed, 29 May 2002 11:20:32 +0100 >Received: from outgoing.securityfocus.com ([66.38.151.27]) by hotmail.com >with Microsoft SMTPSVC(5.0.2195.4905); Wed, 29 May 2002 17:05:33 -0700 >Received: from lists.securityfocus.com (lists.securityfocus.com >[66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid >1B31AA31D3; Wed, 29 May 2002 11:43:25 -0600 (MDT) >Received: (qmail 15552 invoked from network); 29 May 2002 10:18:15 -0000 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >List-Id: <security-basics.list-id.securityfocus.com> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Unsubscribe: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Delivered-To: moderator for [EMAIL PROTECTED] >Message-Id: <[EMAIL PROTECTED]> >X-Mailer: Mirapoint Webmail Direct 2.8.1.2 >Return-Path: >[EMAIL PROTECTED] >X-OriginalArrivalTime: 30 May 2002 00:05:34.0062 (UTC) >FILETIME=[B80F10E0:01C2076D] > >Folks, > >I am sure that some of you have already approached this >matter, so I thought I would ask here. > >Basically, we are currently receiving an ever increasing >number of intrusion attempts, (isn't everyone) and would like >to automate a reaction to these attempts. > >Firstly, I would like to inform the owner of the address >space which the attack has come from that this is happening. >Secondly, I would like to report this address space for >permitting this activity. > >We use Real Secure IDS, so having the ability to create >scripts on the IDS is there, but we would prefer to do this >from a mail type application. > >So, my questions are really, > >How to go about automating this process, i.e. what steps to >take? > >Who to report these intrusion attempts to? > >Basically the way I see it so far is to take the alerts that >are generated by the IDS, in a mail format, using some sort >of script from that alert, extract the source address, do a >whois on that source address, then find the admin and >technical contacts for that address space from the whois and >mail them a copy of the alert(confidential data removed) >along with a warning that the information has been passed to >the relevant authorities. > >Trouble is, who are the relevant authorities. And are they >likely to take any action. > >I am sorry the mail is a bit long winded, but you get what I >am trying to achieve, maybe you have already done this? All >comments appreciated. > >Thanks > >JM _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
