[Intrusions] `tattle`, now with goodness
Andrew Daviel
andrew at andrew.triumf.ca
Tue Jun 14 19:04:26 GMT 2005
On Mon, 13 Jun 2005, C.J. Steele, CISSP wrote:
> Andrew;
>
> If you're reading the [intrusions] list, you're probably not seeing
> quite a bit of the lynching I've taken on [bugtrq], which has caused
> `tattle` to evolve in many of the ways you're suggesting. Given the
> types of attacks we're all seeing, I suspect you'll find that `tattle`
> makes a best-effort attempt to report the mail to the right parties
> (i.e. abuse.net and then whois, where abuse doesn't reply), reverse
> lookups of IP addresses, etc...
I had a look at tattle, and it is certainly way more elegant
than my thing ... using NET::Whois::IP which does the
iteration through ARIN. My script is really ugly, but I will send you a
copy if you promise not to laugh....
I will also send the list of contacts, which is easier to work with..
I have not been reading Bugtraq, but I can imagine ...
I have been thinking to rewrite my script for about a year, and might
even get around to it. One problem is virus-infected spam where some
mail headers are bogus, but I'm assuming they are legit. Also, there
are still some errors in mailing registry contacts about reserved
ip blocks, domains moving between registries etc. (there is now
an Afrinic as well as Lacnic that's been around a few years, in addition
to the old ARIN, RIPE, KRNIC, etc).
I had a quick look also at Net::Whois (cf. Whois::IP) which is now
broken - tries to start at internic for .org, and other problems.
I'm using a system call on Linux to whois, which is now jwhois
and does some recursion already. Dealing with format changes
etc. is a pain - someone has to do it, either you or the
package providers if you use a 3rd-party tool.
My feeling is that if you go to the resolved address, you should get
the machine owner. However, they might be a bad guy, If you go to
the numeric address, you should get the service provider. You
may or may not get a better response, depending on how
they feel about security and whether they have a good mechanism in place
for contacting customers.
For ssh logs, it's a bit different from email as you don't usually have
the resolved address. I mean, not all addresses resolve in both
directions properly. For instance, my home business subleases an
address from a company that has a class C block from Sprint, and
we have forward DNS set up, but neither of us have been able to get
Sprint to set up reverse DNS. So looking up my .com would
find me, but looking up the numeric ip in ARIN would only get Sprint,
who I have serious doubts would forward anything to anybody.
I had a look at Whois::IP - it may be worth adding a search for
abuse@ in the comment fields. And it's not clear to me that it handles
the Japanese NIC in English properly. But it's certainly more elegant
than mine ...
Oh yes; I didn't check, but you certainly want to make sure you don't
report addresses more than once every few days ....
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
More information about the Intrusions
mailing list