[Dshield] Greetings and Suggestions

Wayne Larmon wlarmon at dshield.org
Sun Oct 5 13:28:44 GMT 2003

> First of all, I am a newbie to reporting and this list
> so greetings to all.
> I would like to raise a few questions if I may.
> 1.  Will the cvtwin reporting software be able to use
> PGP in the future?

This keeps being put on the back burner.  But I'll look into it again.

> 2.  For ease on personal report keeping,will cvtwin
> ever be intergrated into the defauld windows mailer
> (registry settings)?  The later may solve the first.

When I was trying to research how to do this I never found a way to do this.
If any programmers know how to do this, please contact me off list.

> 3.  Would the logging of MAC Addresses along with IP
> Addresses be an advantage for identifying Dynamic
> Address attacks?

We don't feel that this is valid information, or is very feasible.

1. because very few firewalls or routers log MAC addresses.

2. because a firewall would have to to a traceroute for each access, in
order to have a MAC address to log.  This isn't reasonable.

3. MAC addresses are real easy to fake.  A lot of routers have the MAC
address be user changable.  (This last point isn't very strong, because most
hostile accesses these days come from (otherwise innocent) infected
machines, so the chances are low that the machine's owner would change the
MAC address in his/her router.  But a live cracker can easily change their
MAC address.)

Most (but not all) admins can and do trace the individual user based on the
time stamps on the logs.  This is the main reason why we stress that
submitters use a time setting utility so that the time stamps in the logs
are accurate.

> Keep up the good work


Wayne Larmon
wlarmon at dshield.org

More information about the list mailing list