Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attack Registry And Intelligence Service

Posted by CmdrTaco on from the something-smelly-in-your-logs dept.

thelaw writes: "SecurityFocus just announced the start of their new service, ARIS (Attack Registry and Intelligence Service) Analyzer. The service allows you to submit logs from several different intrusion detection systems automatically and quasi-anonymously. Looking at the front page, they seem to have over 700,000 incidents already reported since starting."

11 of 73 comments (clear)

  1. Change the URL to point to port 23 by Decado · · Score: 5

    And I'll bet they can clear 1,000,000 attacks before the day is out.

    --

    Slashdot: Proof that a million monkeys at a million typewriters can create a masterpiece

  2. Potential problem by ChazeFroy · · Score: 5

    This centralized service for reporting will lead to some falsified logs being submitted to get somebody in trouble. I hope people use this service, but I also hope they take it with a grain of salt.

  3. Of course, by blair1q · · Score: 3

    Of course, all too soon, they will have a whole category for "slashdotted"...

    --Blair

  4. Anonymous? by cavemanf16 · · Score: 5
    Well, the US sure seems to be getting bombarded. I didn't know there were that many political attackers and script kiddie crackers out there. Maybe this will show some US companies just how big a deal security (including protecting the info they always collect on me) really is.

    And my bit of paranoia for the day:
    Why do they keep saying how 'secure and private' the log files you send them are? Can't they just trace the IP that sent the log right back to the company and/or individual who owns the IP (unless of course it's a dynamic IP being assigned)? Not that they would want to do so, but let's just stop advertising privacy. There is no privacy on the net. It's like streaking thru a crowded marketplace; not many people notice, but those that do get to see the whole deal.

  5. Am I the only one who missed the point? by GodHead · · Score: 4

    I must have missed something.

    I'm not trying to troll or anything but other than the "Cool" factor what does this service do? How is knowing the most common attack types going to help me? The common ones are already patched by clued-in admins. I mean did you see the common attack list? If you're open to SNMP GET you have problems.

    Are they going to try and find new attacks with the data or something?

    G.H.

    --
    Just wait till some crappy band steals your nic.
    1. Re:Am I the only one who missed the point? by MadAhab · · Score: 3
      These could be useful for forensics after a major DDoS, since security professionals and law enforcement could look for origin sites in these logs.

      The common attacks ARE patched against by clued-in admins, but you don't get an army of DDoS zombie boxes by ignoring the obvious exploits. I get scanned all the time for the most obvious security holes; port 137, port 53, port 111. When I've bothered to look, the source boxes have been (half the time - often the sources are fake!) unpatched-looking RedHat boxes from home internet connections (ISPs,broadband or otherwise). And in the weeks following the recent issues with BIND, I have regularly been scanned for port 53, and these guys are scanning whole networks of addresses for this port only.

      In an ideal world, I would report these scans, and the administrators of the source boxen might be notified that their machines have already been hacked and are being used for scans, which could help prevent major DoS attacks, or even be used to observe packet monkeys early enough in the game to trace back to their origin (as opposed to getting to the attack boxes and finding a bunch of erased logs).

      I'm not saying it will work, or that this is the best way to acheive that goal, but there are solid reasons (beyond giving wannabes a source of interesting info) to think that this is useful.

      Boss of nothin. Big deal.
      Son, go get daddy's hard plastic eyes.

      --
      Expanding a vast wasteland since 1996.
  6. An Intrusion database a'la ORBS? by Anonymous Coward · · Score: 4

    This service has two sides:
    The bright side is that it will bring stats of intrussion attempts. This is particularly interesting, because you can learn wha't going around and take measures before it's too late.

    The dark side is that I see a forthcomming IASD (Intrussion Attempt source database) available online, so many ppl will start banning IP's "Just in case".

    I do not like ORBS, I feel it's not usefull because of the tendence of give false positives.
    As an example, we use a very strict mail relay policy, and every week I get the ORBS tester machines sending mails that end up in postmaster because of their lack of valid rcpt addressess.
    Every time is because some ignorant saw SPAM w/bogus reply addresses in some of our domains and thinks that the spam was actually sent from one of our SMTP servers (false, all tend to came from yah00 or h0tmail or some server in korea, who cares).

    Imagine a script kiddie who, instead of deleting it's path in the victim's logfile, now replaces it's IP w/someone else's IP address.

    Who audits the victim's security policy? Who gives for grant that the supposed victim is honest?

    This is very, very difficult to prove.

  7. Now you went and took all the fun out of h4x0ring! by tenzig_112 · · Score: 3
    I got to be l337 over years of study. Now some kid can read a couple of logs and pull off a sweet DDoS in their first few hours. Wtf?

    What can there possibly be left for old-skool h4x0rz like myself? Those 455hol3z have taken all the phun out of it.

    A g4ll3ry of my h4x0r1ng k0nqu3sts

  8. Re:So... by ryanr · · Score: 3

    Absolutely. Users who create an account and submit their logs have access to the following:

    - A service designed to assist users in reporting incidents. We look up the appropriate contacts for the offending organization and their upstream provider, allow you to select which incidents you wish to report, and draft a report fo you with all the pertinant information.

    - Access to descriptions about what the attack was that your IDS spotted. This includes links into the Bugtraq database where approrpiate, articles, exploit code (so you can see if the compromise was successful or not), etc...

    - The ability to see how many other ARIS users your attacker has attacked, in case that factors into your decision on whether to report or not.

    - We track which incidents have been reported (thorugh our system) for you.

    - We cross-correlate reports from different IDS brands, for those users who have more than one type.

  9. Re:Shutdown requests by doctor_oktagon · · Score: 3

    GMac, your plan is (adopts Sean Connory accent) "Sherioushly Flawed".

    If you automatically shut down a system which looked like it was being hacked, you risk turning off the front door on your 24/7 international business!

    It's very difficult to detect a real alert from a false alarm. Case in point:
    Last client I was working in had a pair (!) of Sun E10Ks in a failover cluster forming the engine of their website. The Cisco Netranger IDS in the network segment occassionally thought one E10K was launching "ping smurf" attacks on the other E10K, and no amount of IDS tuning would get round it. It turned out it was part of normal Sun cluster network chatter, and it's extremely difficult to harden a clusterised E10K: that's why you deploy an extremely tight firewall in front of it.

    Hilarious I grant you, but not at 3am when your mobile goes off and someone is screaming "Help!!" down it ;-)

  10. Re:What am I missing? by ryanr · · Score: 5

    First, what the heck is the definition of an "incident"?

    Actually, that's done on a per IDS entry basis. We take each attack description that comes out of each IDS, and correlate those all to a central attack description of our own creation. Then, for each of those, we make a judgement call on whether it is something that should be reported or not. The majority of reports we get are classified as event or probes, things you should't report on. They aren't attacks in and of themselves. There are other attempts that, were the victim vulnerable to what was being checked for, they would just have been penetrated. Those we classify as incidents.

    If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000?

    It depends how your IDS groups them. We get our information from the IDS logs. Many IDS systems can treat that sort of thing as a collective event.

    How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus?

    That's the reason we provide an anonymous upload capability, and the upload tool is open-source. You can check yourself exactly what is being sent.

    What does this service do for us?

    A took a short at proving that bit of info here:
    http://slashdot.org/comments.pl?sid=01/03/26/16312 41&cid=92