Folks, I am sure that some of you have already approached this matter, so I thought I would ask here.
Basically, we are currently receiving an ever increasing number of intrusion attempts, (isn't everyone) and would like to automate a reaction to these attempts. Firstly, I would like to inform the owner of the address space which the attack has come from that this is happening. Secondly, I would like to report this address space for permitting this activity. We use Real Secure IDS, so having the ability to create scripts on the IDS is there, but we would prefer to do this from a mail type application. So, my questions are really, How to go about automating this process, i.e. what steps to take? Who to report these intrusion attempts to? Basically the way I see it so far is to take the alerts that are generated by the IDS, in a mail format, using some sort of script from that alert, extract the source address, do a whois on that source address, then find the admin and technical contacts for that address space from the whois and mail them a copy of the alert(confidential data removed) along with a warning that the information has been passed to the relevant authorities. Trouble is, who are the relevant authorities. And are they likely to take any action. I am sorry the mail is a bit long winded, but you get what I am trying to achieve, maybe you have already done this? All comments appreciated. Thanks JM
