On 30 Sep 2001, Franck Martin wrote: > If there was some kind of standard, it would help fighting worms by > informing IP owners that some machines have been infected. It would also > help all Intrusion detection System to inform system administrator of > potential attacks with a detailed report...
There are some more advanced whois clients which have more knowledge on where to query and how, e.g. http://freshmeat.net/projects/whois/. That doesn't say, of course, that there wouldn't be any benefits from "standardization"... On the IDS front, I would not like to make the reporting too easy. I'm completely fed up with "Top Notch IDS Products" returning "alarms" on e.g. the following: - users running traceroute, on incomoing icmp time exceeded messages triggering an icmp flood "detection" - using a public ftp server, thus generating an ident query - using an smtp server, -""- - etc. Most of times, these reports are sent by people who have no idea what is going on at all. Spamming operators with these kind of alarms shouldn't be encouraged. (b.t.w: is there a web page somewhere which lists and gives reasons/pointers to usual "false alarms" like listed above? It might be useful as a pointer). -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords