You might want to take a look at SecurityFocus ARIS Extractor http://freshmeat.net/projects/aris-extractor/?topic_id=43%2C152
-scm On Wed, 29 May 2002, JM wrote: > Folks, > > I am sure that some of you have already approached this > matter, so I thought I would ask here. > > Basically, we are currently receiving an ever increasing > number of intrusion attempts, (isn't everyone) and would like > to automate a reaction to these attempts. > > Firstly, I would like to inform the owner of the address > space which the attack has come from that this is happening. > Secondly, I would like to report this address space for > permitting this activity. > > We use Real Secure IDS, so having the ability to create > scripts on the IDS is there, but we would prefer to do this > from a mail type application. > > So, my questions are really, > > How to go about automating this process, i.e. what steps to > take? > > Who to report these intrusion attempts to? > > Basically the way I see it so far is to take the alerts that > are generated by the IDS, in a mail format, using some sort > of script from that alert, extract the source address, do a > whois on that source address, then find the admin and > technical contacts for that address space from the whois and > mail them a copy of the alert(confidential data removed) > along with a warning that the information has been passed to > the relevant authorities. > > Trouble is, who are the relevant authorities. And are they > likely to take any action. > > I am sorry the mail is a bit long winded, but you get what I > am trying to achieve, maybe you have already done this? All > comments appreciated. > > Thanks > > JM >
