Re: 'nother question --


Subject: Re: 'nother question --
From: Patrick Wilke (pwilke@arctic.net)
Date: Sat Oct 27 2001 - 00:06:00 AKDT


Dee right now I am using the for Snort rules

log !192.168.0.0/24 any <> 192.168.0.0/24 23

Here is a resource that I also used for writting rules.

http://www.clark.net/~roesch/snort_rules.html

On Friday 26 October 2001 09:08 pm, you wrote:
> Of course it's a bit dangerous but nmap has it:
>
> Some Common Options (none are required, most can be combined):
> * -O Use TCP/IP fingerprinting to guess remote operating system
>
> /Dee
>
> -----Original Message-----
> From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org]On Behalf Of
> Mike Tibor
> Sent: Friday, October 26, 2001 7:22 PM
> To: aklug@aklug.org
> Subject: Re: 'nother question --
>
> On Fri, 26 Oct 2001 jsaam@mcc-cpa.com wrote:
> > How can I find out who is hosting a webserver with a given IP? I want to
> > know who it is that is infected with the code red thing here, and is
> > attempting to infect my web server.
>
> Greg had a good suggestion in using whois. Another thing that I do is
> just do a traceroute. That tells me who the upstream provider is, and
> gives me another point of contact to complain to in the event that the
> owner of the box in question ignores me.
>
> I actually had to do this with onsale.com (the big auction site). They
> were making smtp connections to my mail server, but quitting the session
> just prior to DATA (as opposed to dropping it, as might happen with flakey
> connectivity between us). Several messages to the technical and
> administrative contacts from the whois output, as well as to
> [abuse|postmaster]@onsale.com were ignored. However, an email to the
> abuse address of their provider was not, and about an hour later I got a
> phone call from a management type at Onsale who finally explained what was
> going on. :-)
>
> Mike



This archive was generated by hypermail 2a23 : Sat Oct 27 2001 - 00:05:52 AKDT