myNetWatchman has a work-in-progress search-by-AS http://www.mynetwatchman.com/ListIncidentbyASSummary.asp?AS=YOUR_AS_HERE On Wed, Nov 12, 2003 at 06:56:50PM -0500, Jamie Reid wrote:
It would be useful if these sites allowed you to query them with CIDR ranges to see if your site had originated any traffic that triggered their sensor arrays. The IDS community never seems to have wrapped its collective head around routing information. Looking up single IP addrs is just cosmetic. A real service would allow for concerned sites to check their entire address allocations.
The solution we have takes a massive amount of data munging of a routing table and is still experimental, but until attacks can be mapped to meaningful Internet topographical information, the real value of these distributed IDS efforts cannot be fully exploited.
I can forsee the argument that people shouldn't be able to look up other sites which might be compromised, but if they are really so concerned, they should get their sites patched. -- Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324
"Bryan Bradsby" <Bryan.Bradsby@capnet.state.tx.us> 11/12/03 04:25pm >>>
Devise a system that assumes owners of IP space WANT to know about problems. report --open-proxy 192.168.1.1 <logfiles and have a report sent to whoever needed to know about it.
http://www.Incidents.org http://www.Dshield.org/howto.php http://www.MyNetWatchman.com
-- Dan