Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attack Registry And Intelligence Service

Posted by CmdrTaco on from the something-smelly-in-your-logs dept.

thelaw writes: "SecurityFocus just announced the start of their new service, ARIS (Attack Registry and Intelligence Service) Analyzer. The service allows you to submit logs from several different intrusion detection systems automatically and quasi-anonymously. Looking at the front page, they seem to have over 700,000 incidents already reported since starting."

73 comments

  1. Change the URL to point to port 23 by Decado · · Score: 5

    And I'll bet they can clear 1,000,000 attacks before the day is out.

    --

    Slashdot: Proof that a million monkeys at a million typewriters can create a masterpiece

    1. Re:Change the URL to point to port 23 by ZaneMcAuley · · Score: 1

      teehee, titter, hehehehe yup, i seem to have a mind of a 3 year old :D

      --
      ----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
  2. Potential problem by ChazeFroy · · Score: 5

    This centralized service for reporting will lead to some falsified logs being submitted to get somebody in trouble. I hope people use this service, but I also hope they take it with a grain of salt.

    1. Re:Potential problem by Greyfox · · Score: 2
      I was just thinking that would be a perfect attack for this system. Just submit enough falsified logs that it becomes worthless.

      You could prevent such an attack by implementing user IDs with cryptographic signing, but you lose some of your anonymity that way as you'd need to reject user ID applications from throwaway accounts such as from Hotmail.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  3. Of course, by blair1q · · Score: 3

    Of course, all too soon, they will have a whole category for "slashdotted"...

    --Blair

  4. Inegrated on-the-fly logging... by TWX_the_Linux_Zealot · · Score: 1

    ... and it'll be much harder for someone to break into a box and rifle the logs before someone else can look at them. It's not a guarantee that the system will be safe and secure, but it could be a nice deterrent to someone hacking and thinking that they can just clean the logs of their activities later...

    "Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."

    --

    IBM had PL/1, with syntax worse than JOSS,
    And everywhere the language went, it was a total loss...
  5. How many of those "attacks" by HerrGlock · · Score: 1

    Are sites linked from /. thinking they're in the middle of a DoS attack?

    DanH
    Cav Pilot's Reference Page

    --
    Cav Pilot's Reference Page
    UNIX - Not just for Vestal Virgins anymore
  6. Anonymous? by cavemanf16 · · Score: 5
    Well, the US sure seems to be getting bombarded. I didn't know there were that many political attackers and script kiddie crackers out there. Maybe this will show some US companies just how big a deal security (including protecting the info they always collect on me) really is.

    And my bit of paranoia for the day:
    Why do they keep saying how 'secure and private' the log files you send them are? Can't they just trace the IP that sent the log right back to the company and/or individual who owns the IP (unless of course it's a dynamic IP being assigned)? Not that they would want to do so, but let's just stop advertising privacy. There is no privacy on the net. It's like streaking thru a crowded marketplace; not many people notice, but those that do get to see the whole deal.

    1. Re:Anonymous? by ajuda · · Score: 1

      I would hope that any system administrator, who was smart enough to know what a log is, would also know what a proxy server is. Problem solved.


      This message was encrypted with rot-26 cryptography.

    2. Re:Anonymous? by Delphis · · Score: 1

      There is no privacy on the net. It's like streaking thru a crowded marketplace; not many people notice, but those that do get to see the whole deal.

      LOL .. that's one of the most amusing internet privacy analogies I've ever heard.

      --
      Delphis

      --
      Delphis
    3. Re:Anonymous? by ryanr · · Score: 2

      Well, the US sure seems to be getting bombarded.

      That's the number of attacks the US is sending, not receiving.

  7. I don't think so. by ljavelin · · Score: 2

    Although some interesting information could pop out of the service, I don't see any real benefit for ME to submit MY logs. In fact, I only see potential harm... after all, what if their security is breached?

    If I'm shown to be wrong, then I must reconsider. But for now, I'll stay on the sidelines.

    1. Re:I don't think so. by Tricolor+Paulista · · Score: 2
      In fact, they're creating the biggest repository of cracker data in the Web!! If they get compromised, everybody using their services will be painted in red as potential targets.

      I sincerely hope this won't happen, but you can't be too careful...

      --
      Linux *is* user friendly. It's not idiot-friendly or fool-friendly!
    2. Re:I don't think so. by rde · · Score: 1

      I don't see any real benefit for ME to submit MY logs. In fact, I only see potential harm...
      "I don't see any real benefit for ME to stop spamming. In fact, I only see potential loss of revenue..."

    3. Re:I don't think so. by Shardis · · Score: 1
      If you would have bothered to actually read some of the info, you would have noticed that you can scrub your logs to preserve such things as privacy...

      Q: Do I have to clean my IP address and other identifying information out of my IDS logs before sending them to ARIS analyzer?

      A: You always have the choice of how much information you wish to send. You may decide to strip address information when cleaning logs in ARIS extractor.

      So clean yer logs of IP's you don't want to give them... :)

    4. Re:I don't think so. by ryanr · · Score: 2

      If they get compromised, everybody using their services will be painted in red as potential targets.

      Not really. IDS' don't typically record whether the intrusion was successful, they just record attempts. This information doesn't really help you attack anybody. You'd still have to make the attempt yourself to determine vulnerability.

  8. US bombarded? by JohnTheFisherman · · Score: 1
    Well, the US sure seems to be getting bombarded.

    Really? It doesn't look like the US is disproportionately represented in this list. All of the 'generic' domains plus .us equals ~60%, and a significant number of .coms (over half of that 60%, BTW) are not US sites.

    --
    +5:offtopic,but anti-American
  9. isn't.... by thrillbert · · Score: 1

    cat /var/logs/security | awk '{print $2 " " $3 " " $4} | sort | uniq -c | sort

    doing the same thing except that it's not in pretty html format?

    1. Re:isn't.... by thrillbert · · Score: 1

      Can I be geeky like you.

      Sorry to tell you, but I work for a very large organization in which I use this command on a daily basis to monitor our border routers' logs. This allows me to keep an eye out on different ports being probed and allows me the ability to create ACLs to block those ports..

      Why don't you go right click something and upload your logs to have the analisys done for you.

    2. Re:isn't.... by Delphis · · Score: 1

      Wouldn't something like PortSentry be easier?

      That and LogCheck to make picking out interesting log entries a breeze.

      --
      Delphis

      --
      Delphis
    3. Re:isn't.... by thrillbert · · Score: 1

      Hey, dumbass. Only ISPs with peering have "border routers". Perhaps you were trying to come up with a cool word for "external router".

      Boy, you sure are smarter than your average pet rock. Maybe you should take that Netopia router back to where you bought it and let them know that you finally realized that having it != you being a network admin.

      It'd be hard to run a global network with multiple links to the net and multiple campuses running on that single router eh?

    4. Re:isn't.... by ryanr · · Score: 2

      Briefly, we provide a way to automate your incident reporting, correlation with other users who have been attacked by the same IP, and essentially a way to cast one more "vote" against an attacker. The latter two items can't be done in isolation. Plus, we provide links to what your IDS description actually means, in case you want to look it up.

  10. hey! by Anonymous Coward · · Score: 1

    Hey i'm still waiting for the cheesy Jon Katz article about the oscars for special effects and how those poor picked on geeks have changed the movie inuistry forever and set a new paradigm for the antiquated movie industry...

    blech...

  11. Am I the only one who missed the point? by GodHead · · Score: 4

    I must have missed something.

    I'm not trying to troll or anything but other than the "Cool" factor what does this service do? How is knowing the most common attack types going to help me? The common ones are already patched by clued-in admins. I mean did you see the common attack list? If you're open to SNMP GET you have problems.

    Are they going to try and find new attacks with the data or something?

    G.H.

    --
    Just wait till some crappy band steals your nic.
    1. Re:Am I the only one who missed the point? by Zeinfeld · · Score: 1
      The information will be usefull to security protocol designers such as myself I guess. But sysadmins surely need something more automated and targetted.

      Ad hoc descriptions of vulnerabilities only get so far however. Most of the time the average lamer is trying techniques that were reported on Bugtraq years before and were patched and CERT advised months ago.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
    2. Re:Am I the only one who missed the point? by doctor_oktagon · · Score: 2

      Most of the time the average lamer is trying techniques that were reported on Bugtraq years before and were patched and CERT advised months ago.

      NO! The main problem in this sad landscape of crappy administration is that no one bothers patching any of their systems because they:

      a) Don't know what CERT is never mind read it
      b) Don't know what BUGTRAQ is never mind read it

      Most of the systems being hacked are NT or Linux servers which are deployed in the heat of the moment and then forgotten about forevermore.

    3. Re:Am I the only one who missed the point? by Zeinfeld · · Score: 1
      NO! The main problem in this sad landscape of crappy administration is that no one bothers patching any of their systems because they:

      Quite so, which is why the lamers don't need to be any more sophisticated.

      If more people stripped down the servers before they deployed them there would be fewer incidents. When I deploy a hardened system I remove ftpd from the inetd file and delete the executable off the system, same for sendmail, finger, nfs etc.

      A lot of security problems could also be eliminated by better O/S and programming language design. On the VAX system any attempt to overwrite the stack caused an exception. Array bounds checking was arround and standard in the 1960s. Today we have to put up with buffer overrun errors. It should not be necessary to take the performance hit of Java just to get array bounds checking (and yes I know the markethead claim that there is no hit if you code right - it is maketting bollocks)

      UNIX could do with a complete clean up job. There is far too much complexity and left over dross from years ago hanging arround.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
    4. Re:Am I the only one who missed the point? by MadAhab · · Score: 3
      These could be useful for forensics after a major DDoS, since security professionals and law enforcement could look for origin sites in these logs.

      The common attacks ARE patched against by clued-in admins, but you don't get an army of DDoS zombie boxes by ignoring the obvious exploits. I get scanned all the time for the most obvious security holes; port 137, port 53, port 111. When I've bothered to look, the source boxes have been (half the time - often the sources are fake!) unpatched-looking RedHat boxes from home internet connections (ISPs,broadband or otherwise). And in the weeks following the recent issues with BIND, I have regularly been scanned for port 53, and these guys are scanning whole networks of addresses for this port only.

      In an ideal world, I would report these scans, and the administrators of the source boxen might be notified that their machines have already been hacked and are being used for scans, which could help prevent major DoS attacks, or even be used to observe packet monkeys early enough in the game to trace back to their origin (as opposed to getting to the attack boxes and finding a bunch of erased logs).

      I'm not saying it will work, or that this is the best way to acheive that goal, but there are solid reasons (beyond giving wannabes a source of interesting info) to think that this is useful.

      Boss of nothin. Big deal.
      Son, go get daddy's hard plastic eyes.

      --
      Expanding a vast wasteland since 1996.
  12. An Intrusion database a'la ORBS? by Anonymous Coward · · Score: 4

    This service has two sides:
    The bright side is that it will bring stats of intrussion attempts. This is particularly interesting, because you can learn wha't going around and take measures before it's too late.

    The dark side is that I see a forthcomming IASD (Intrussion Attempt source database) available online, so many ppl will start banning IP's "Just in case".

    I do not like ORBS, I feel it's not usefull because of the tendence of give false positives.
    As an example, we use a very strict mail relay policy, and every week I get the ORBS tester machines sending mails that end up in postmaster because of their lack of valid rcpt addressess.
    Every time is because some ignorant saw SPAM w/bogus reply addresses in some of our domains and thinks that the spam was actually sent from one of our SMTP servers (false, all tend to came from yah00 or h0tmail or some server in korea, who cares).

    Imagine a script kiddie who, instead of deleting it's path in the victim's logfile, now replaces it's IP w/someone else's IP address.

    Who audits the victim's security policy? Who gives for grant that the supposed victim is honest?

    This is very, very difficult to prove.

    1. Re:An Intrusion database a'la ORBS? by Patton · · Score: 1

      Actually a lot of places already ban netblocks just because of location. Most of the IPs in the Gaza strip/Palastine etc areas are blocked at numerous places for instance.

      I know I don't think anything of whipping out a default drop on entire B class networks if they are owned in a country that the customers have little business with currently or are known for trouble (Pakistan for instance is really starting to find itself unwelcome in a lot of places).

      There are social issues against doing this but frankly if a given area is known for fire, why play with it. Drop and forget, revist later if conditions improve. Case in point, B class network today in Russia just found itself permanently unwelcome at any of the sites for the company I'm with, and companies where I know friends. They're blocked in 12 B classes and a few C classes on the side now just from refusing to respond against one of their users lauching a hostile attack.

      Ultimately the best solution is that the ISPs or uplinks for the areas take action against attacks but you try getting an internet cafe in the middle of the Gaza strip to block attacks against a jewish owned business. Go ahead, if you can manage it great. My only sucessful recourse has been to drop all incoming packets.

  13. Clarification by JohnTheFisherman · · Score: 1

    That last sentence seems unclear - I don't mean to imply that over half of the .coms are not US sites, but that over half of the 60% (i.e. 38% of the total) are .coms, not all of which are US sites.

    --
    +5:offtopic,but anti-American
    1. Re:Clarification by Shardis · · Score: 1

      Did you even look at the site URL provided? Ofc, there are a whole lot of assumptions on whether or not you want to believe the data represented there is 'valid' or not, whether people are correctly listing their country...etc...
      Anyways, more to the point, it all comes down to this being another potentially useful tool when it comes to what kindof attacks and such are actually being used in the wild...

    2. Re:Clarification by JohnTheFisherman · · Score: 1
      Did you even look at the site URL provided?

      Yes, why do you ask? To me, it looks like roughly 50% of the cracks are in the US, which is roughly the share of websites. YMMV.

      --
      +5:offtopic,but anti-American
  14. Redundant use of cat, missing ', sort problem. by Derek+Pomery · · Score: 1

    awk '{print $2 " " $3 " " $4}' /var/logs/security | sort | uniq -c | sort

    Also, your sort will look like this...
    1
    10
    11
    12
    2
    3
    4
    5
    6
    7
    8
    9

    --
    -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
  15. Sounds Interesting... by crashnbur · · Score: 1
    ...but looking at the overview page...

    "ARIS analyzer is a service designed, administered and maintained by SecurityFocus.com to allow participating network administrators to submit suspicious network traffic and intrusion attempts anonymously, for detailed analysis and tracking. Our aim is to help our participants track incidents and find patterns in attacks that will serve as a threat gauging system for the Internet community."

    ...DAMN! Doesn't apply to me! Still, this looks to be very useful, and I'd probably subscribe to this service if, you know, I weren't just a college kid on a personal computer.

    1. Re:Sounds Interesting... by ryanr · · Score: 2

      We're happy to have all users, whether corporate security professionals, college kids, or home users. if you have an IDS in place, please feel free to participate.

  16. Probably not. by Mr.+Flibble · · Score: 1

    In fact, they're creating the biggest repository of cracker data in the Web!! If they get compromised, everybody using their services will be painted in red as potential targets.

    As it says in their FAQ :

    1) ...your account information is stored separately from the IDS logs you submit for analysis...

    2) ...You always have the choice of how much information you wish to send. You may decide to strip address information when cleaning logs in ARIS extractor...

    Also, they only know who you are if you choose to tell them, and, even so, that information is stored separately from the attacks on your system.

    but you can't be too careful... Amen to that.

    --
    Try to hack my 31337 firewall!
  17. Hrrm by IdentityCrisis · · Score: 1

    Nice service...
    But, could've been far more interesting if you could see graphs of OVERALL statistics, not only graphs and data of the logs you sent.
    For example, I really wanted to know what are top 10 countries that most of the attacks origin from.

  18. My experience. . . by Salgak1 · · Score: 1
    . . .is 7-10 hits on my network at work per day, on the average (we have a Class C, but most stuff is NATed behind the firewall), and 3-4 hits a day at home on the DSL line... it all seems a lot, but then both my work and my home firewalls include footprinting exercises as an attack.....

    I have no idea if those numbers are typical: the DSL ranges are well known, and so is my ISP's netblock. . . But I'd wager it's virtually ALL automated tools. . .

  19. Now you went and took all the fun out of h4x0ring! by tenzig_112 · · Score: 3
    I got to be l337 over years of study. Now some kid can read a couple of logs and pull off a sweet DDoS in their first few hours. Wtf?

    What can there possibly be left for old-skool h4x0rz like myself? Those 455hol3z have taken all the phun out of it.

    A g4ll3ry of my h4x0r1ng k0nqu3sts

  20. Great demographic data by BierGuzzl · · Score: 1

    This will be like having a free online survey of everyone who got hacked... Pretty soon we'll have the perfect profile for the vulnerable admin/setup and targetting spam,hacks,etc at. A little bit of stats work and you may as well have been handed the emails/ip's of the vulnerable systems. Better still, when their database does get hacked, how much do you wanna bet that info is gonna be worth?

    1. Re:Great demographic data by Patton · · Score: 1

      Well the logs aren't always "hacked". An IDS registers 'invalid' or otherwise 'potentially hostile' traffic.

      Just because some kid set off my IDS scanning for SubSeven doesn't mean my site is vulnerable to SubSeven and doesn't mean it was hacked. Fact that they were probably scanning a Solaris system aside all it meant was that my IDS saw the traffic.

      Thats what a lot of these are is that the IDS see's the traffic, either because it is in front of the firewall or the port was opened on the firewall and the IDS behind it saw the packet. What that database could do is show you what are the most common scans performed and what type of sites see what type of attacks.

  21. oops. :) by Derek+Pomery · · Score: 1

    Erm. Scratch sort problem.
    Sort is a bgit smarter then I thought.
    1
    10

    is different then
    1
    10

    --
    -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
  22. super fantastic by JohnnyKnoxville · · Score: 1

    Paranoid freaks of the world unite!

  23. A Real "Hackers Cookbook" this will make by BroadbandBradley · · Score: 1

    do they also offer hacker toolkits for download or do I have to go elsewhere for that?

    --
    "The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
  24. What am I missing? by CyberDawg · · Score: 2

    After looking over the ARIS site, I'm left with a bunch of questions.

    First, what the heck is the definition of an "incident"? Their FAQ doesn't indicate what this means. If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000? It sounds like AOL's goofy customer count: "Here, set up seven screen names so that we can claim you're seven different customers."

    Secondly, does handing all your log files over to these guys remind anyone of the movie The Net? How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus? What does this service do for us?

    1. Re:What am I missing? by ryanr · · Score: 5

      First, what the heck is the definition of an "incident"?

      Actually, that's done on a per IDS entry basis. We take each attack description that comes out of each IDS, and correlate those all to a central attack description of our own creation. Then, for each of those, we make a judgement call on whether it is something that should be reported or not. The majority of reports we get are classified as event or probes, things you should't report on. They aren't attacks in and of themselves. There are other attempts that, were the victim vulnerable to what was being checked for, they would just have been penetrated. Those we classify as incidents.

      If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000?

      It depends how your IDS groups them. We get our information from the IDS logs. Many IDS systems can treat that sort of thing as a collective event.

      How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus?

      That's the reason we provide an anonymous upload capability, and the upload tool is open-source. You can check yourself exactly what is being sent.

      What does this service do for us?

      A took a short at proving that bit of info here:
      http://slashdot.org/comments.pl?sid=01/03/26/16312 41&cid=92

    2. Re:What am I missing? by Shardis · · Score: 1

      Oh good god man, use common sense. If you're responsible for corporate network security, hopefully you have some...

      Q: First, what the heck is the definition of an "incident"? Their FAQ doesn't indicate what this means.

      A: Again, common sense...if you're getting DDoS'd, you can generate huge amounts of logs if everything is getting recorded...one incident even though (potentially) 2.4million packets were reported (lol).
      Um, what else... if someone probes for 34 different vulnerabilities, hell, report it 34 times if you want.

      Q: Secondly, does handing all your log files over to these guys remind anyone of the movie The Net? How do we know SecurityFocus can be trusted?

      Aa: Um, no not really, "the net" thing was a back door. :P (and a bad movie when it comes to technical points, although not as bad as the infamous 'hackers'...lol.)

      Ab: Hrm, if you're the really paranoid type, SecurityFocus can't be trusted. No one can. Therefore it would be logical to clean your logs of the "attacked address" before submitting them. :)

      Anyways, hopefully this has helped out, sorry if I'm a bit off in these responses, I'm tired and this was too unfortunately typical of responses for me to not respond. :/

    3. Re:What am I missing? by doctor_oktagon · · Score: 2

      If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000? It sounds like AOL's goofy customer count: "Here, set up seven screen names so that we can claim you're seven different customers."

      It's one attack. If you don't understand how these things are reported, then you are certainly not up to date or involved in ongoing network security. This is not a criticism, I am pointing out that you seek to knock Security Focus without realising what a valuable community they provide to anyone involved in network security.

      How do we know SecurityFocus can be trusted?

      See above comments. While I would hesitate to give them the password to my numbered Swiss bank accounts (I wish!), I have been using their services FOR FREE for the last 15 months, and I think they deserve a massive THANK YOU from everyone trying to stop people cracking their systems, or trying to evaluate best of breed security products.

      I don't work for Security Focus. I am a completely unbiased consultant who recommends their site to anyone wishing to get into the field of security.

    4. Re:What am I missing? by Patton · · Score: 1

      Depends a lot on how the IDS is configured. The software tends to gather reports in a set timeframe. An incident is whatever happens from a given source in that time. Be it 30 seconds or 30 days.

      May seem a tad 'goofy' but if the same ip does one thing today then another 6 months from now is it one incident (same source) or two separate ones (time differential)? There isn't a definite line in the sand though stating exactly what the timeframes should be except each organizations security policy. This isn't as precise as nuclear science, yet. Give it a few years.

    5. Re:What am I missing? by doctor_oktagon · · Score: 2

      CyberDawg, to clarify the point (and provide some amusement to everyone else), I've just launched my l337 army of zombie machines based in Thailand against your robson.org website.

      You should see a variety of D-DOS attacks, NMAP syn scans, spam-probes on 25, and a look for any recent DNS vulnerabilities.

      Once you have cooled your LAN cable down and paid your 10Gb ISP bill you can analyse your logs and decide how to start categorising it *grin*

    6. Re:What am I missing? by CyberDawg · · Score: 2

      Thank you, Ryan.

      It's refreshing to see a vendor reading the articles on SlashDot and replying with useful information. I appreciate it.

    7. Re:What am I missing? by CyberDawg · · Score: 2

      Shardis wrote, "If you're responsible for corporate network security, hopefully you have some..."

      What makes you think I'm responsible for corporate network security? I never said that. My day job is in curriculum development, and doesn't involve IP security at all. That, however, doesn't stop me from trying to understand how it all works, and asking lots of questions.

      Um, no not really, "the net" thing was a back door. :P ...

      Details, details ;) I know the background of SecurityFocus, and I've followed BugTraq for years. The point I was making is that I don't know the people. I don't know who would have access to my information. My sole rationale for trusting them (or not) is what other people say about them.

      "...and a bad movie when it comes to technical points, although not as bad as the infamous 'hackers'"

      My wife won't even watch that kind of movie with me anymore, because I keep pointing out the technical flaws. It takes some serious willing suspension of disbelief to enjoy movies like those. I did enjoy Sneakers, though.

      "I'm tired and this was too unfortunately typical of responses for me to not respond."

      No sweat.

  25. GIAC Has a Similar System by winterstorm · · Score: 2

    Incidents.org is run by the Global Incidents Analysis Center which is associated with the SANS institute. It's be operating for a while and the "current detects" section is very valueable for those of us who have to address day-to-day security issues.

    GIAC assigns a "handler" to be on-duty at any given time. All the reported incidents are filtered through the handler.

    1. Re:GIAC Has a Similar System by SpaceLifeForm · · Score: 1

      And they have a link to their homepage
      *ON* their homepage.

      Plus this (a link back to the old site):
      Welcome
      Incidents.org is the new name of the SANS Global Incidents Analysis Center (GIAC).

      NEWS: New Linux worm. Check out www.sans.org/current.htm

      Not ready?

      --
      You are being MICROattacked, from various angles, in a SOFT manner.
  26. Re:So... by ryanr · · Score: 3

    Absolutely. Users who create an account and submit their logs have access to the following:

    - A service designed to assist users in reporting incidents. We look up the appropriate contacts for the offending organization and their upstream provider, allow you to select which incidents you wish to report, and draft a report fo you with all the pertinant information.

    - Access to descriptions about what the attack was that your IDS spotted. This includes links into the Bugtraq database where approrpiate, articles, exploit code (so you can see if the compromise was successful or not), etc...

    - The ability to see how many other ARIS users your attacker has attacked, in case that factors into your decision on whether to report or not.

    - We track which incidents have been reported (thorugh our system) for you.

    - We cross-correlate reports from different IDS brands, for those users who have more than one type.

  27. Re:Shutdown requests by doctor_oktagon · · Score: 3

    GMac, your plan is (adopts Sean Connory accent) "Sherioushly Flawed".

    If you automatically shut down a system which looked like it was being hacked, you risk turning off the front door on your 24/7 international business!

    It's very difficult to detect a real alert from a false alarm. Case in point:
    Last client I was working in had a pair (!) of Sun E10Ks in a failover cluster forming the engine of their website. The Cisco Netranger IDS in the network segment occassionally thought one E10K was launching "ping smurf" attacks on the other E10K, and no amount of IDS tuning would get round it. It turned out it was part of normal Sun cluster network chatter, and it's extremely difficult to harden a clusterised E10K: that's why you deploy an extremely tight firewall in front of it.

    Hilarious I grant you, but not at 3am when your mobile goes off and someone is screaming "Help!!" down it ;-)

  28. Is ARIS secure? by djweis · · Score: 1

    I found it humorous that a exploit cataloging system is being hosted on an NT machine.

    1. Re:Is ARIS secure? by ryanr · · Score: 2

      How secure a particular NT installation is is dependant on the skill of the administrator securing it, and how carefully the administrator watches for new holes, and aggressively patches them away. We have those functions adequately covered.

    2. Re:Is ARIS secure? by mheckaman · · Score: 1

      I'm not disagreeing with you about the skill of the administrator making a huge difference, but how do you patch holes that Microsoft has neglected to release a patch for yet? They can be rather tardy with their patch releases at times..

      Disclaimer: I'm not a Linux zealot, please don't classify me as one :)

      --

      Don't take life so seriously; it isn't permanent.

  29. This certainly seems like valuable data by Illserve · · Score: 2

    The value of this data could theoretically extend far beyond prevention of current attacks. A large body of data on the types and frequency of attacks could potentially lead to statistical analyses allowing predictions of the most common origins of attacks. One could then use this data to inform the development of internet routers and filters to minimize international attacks.

    Further, one could do post-hoc correlations of attacks to salient events, yearly cycles, etc. Such data could lead to more accurate predictions of the impacts of same on a company.

    In other words, this will be useful for helping to figure out the big picture of how the internet creates and deals with attacks.

  30. Re:Shutdown requests by GMac · · Score: 1

    Someone hacks on me site, I shut it down using whatever mechanism required, including pulling the plug.

    Don't hack on me!
  31. Fun to watch by loydcc · · Score: 2

    Am I the only one who likes to watch script kiddies try and infultrate my machine. I mean I love to watch them try tired old attacks and fail. If this service would let me watch the activities on other servers as well I can double my fun. Actually I'd like the ability to see if the same h4x0r is trying to attack my neighbors as well.

    1. Re:Fun to watch by TVmisGuided · · Score: 1

      What's even better is getting logged intrusion attempts from people with static IPs. Six and seven times a day for a week. Then watching them completely go away after you email their provider once.

      I'm glad I have my log size limited...otherwise I'd have a drive full of logs and no room to run Quake III.

      --
      All the world's an analog stage, and digital circuits play only bit parts.
    2. Re:Fun to watch by loydcc · · Score: 1
      Exactly my point!!! It's like watching the cops arrest someone on the street. Watching hackers fail to crack your system can be pretty entertaining. That was my favorite part of Coocoo's Egg. You, Me and Cliff Stoll should have our own show. We'll narrate it like Battle Bots.

      "This h4x0r who calls himself 'ma573r0fm4yh3m' comes from Point Pleasant, WI and is using the 486 Dell his mother brought home from work after the last upgrade. He's never going to get beyond the firewall here at (fill in juicy target) but let's watch him try. What's this he's using a Smurf attack to overwhelm his own ISP. OOps looks to me like he forgot to spoof the return address. Better luck next time."

    3. Re:Fun to watch by Deanasc · · Score: 1

      That's kind of funny. I'd watch that.

      --
      I've hit Karma 50 and gotten a Score:5, Troll... I win!
  32. All your Jews are belong to us!! by jonnythan · · Score: 2



    had to, it just sounded great

    1. Re:All your Jews are belong to us!! by Richy_T · · Score: 2
      No, that's

      "All your Jew are belong to us!"

  33. Incident Handlers by winterstorm · · Score: 1

    GIAC has a similar system already at incidents.org. They assign a "handler" to be on duty at any given time, and all incident reports are filtered through the handler. Someone might submit falsified logs, but unless a lot of sources report the same incidents they problably won't get much mention.

  34. GIAC has been around for a long while. by winterstorm · · Score: 1

    The incidents.org website is new, but the GIAC has been around for a while. It used to be just the "current.html" page but they are now expanding to include a whole website. Obviously the web site is nothing much yet. I have a lot of faith in both GIAC and SecurityFocus but I tend to think that GIAC will do a better job by virtue of the experience of their handlers and especially because of the quality of the people already submitting incidents to GIAC.

  35. Deja Vous... by chuckw · · Score: 1

    Deja Vous baby...

    --
    *Condense fact from the vapor of nuance*
    25: ten.knilrevlis@wkcuhc

    --
    *Condense fact from the vapor of nuance*
  36. sweet. by generic · · Score: 1

    I think this will be an interesting tool. Perhaps by determining which attacks are more frequent in certain regions, people can determine which networks might be missing certain patches? Or parts of the world?

    --
    Microsoft aggravates my tourettes syndrome.
  37. distributed intrusion detection system by faithhopeandcharity · · Score: 1

    another site that is related...but not as full featured is this