As described in an earlier thread (sorry for duplication), but myNetWatchman is affiliated with SANS aswell.
DShield IS a great service though, and we've worked together with Johannes on a few projects in the past.
Both of these services throw their data to Incidents.Org (SANS).
Although I have a somewhat biased oppinion about this because of my involvement, I tend to disagree. This is exactly the attitude that keeps the internet open to subversive worms.
We don't make any money off of this, we do this as a service to the INTERNET as a whole. Also, do you trust SANS? Incidents.Org? If so, than look at it this way. If you trust them, and they trust us, than what makes you believe we're some deviants trying to get your log files etc. for malicious use?
Especially considering our close co-operation with law enforcement, and SANS in the past. Especially when we discovered the W32.Leave.Worm. If it had not of been for a service like ours, this worm never would have been discovered because of it's subversive nature, and a couple british coders would have gotten away with tens or even hundreds of thousands of dollers, plus a LARGE (25,000+) Zombie network.
I think this justifies what we're doing in and of itself.
I don't understand what your issue with the over 125,000 possible ports is. This is a rounded off, and clean figure. Also note the word "over". Would it be better if we said ;
"With TCP and UDP alone, there are exactly 131,072 ports an attacker could use." ? Not quite as clean, and as the other poster said, it needs to be toned down to get the regular home users.
The domain name being really "Dumb" is a personal oppinion of yours.
And I can assure you we have 1200 ACTIVE (uploaded an incident inside of the past 7 days), and we have NO problem going through 87 - 100 K INDIVIDUAL attack records for every 24 hour period. Trust me, I look at the database, it's all there. =)
Glad you like our OS support, and privacy policy though.
In the incidents your IP IS masked. i.e. 172.168.23.*
Secondly, Seq #, etc are NOT sent to our database server.
This, the IP address cannot be COMPLETELY removed, otherwise we wouldn't be able to track attack patterns emerging across networks etc. Thus the [proven] power to identify new worms, etc. would be seriously hampered.
This has been an issue that has come up repeatedly with regards to myNetWatchman. I am do system development, and incident analysis at the site, as a volunteer.
I am very interested to hear your comments, and conerns. I would like to hear any suggestions to ease your fears to submit data to our site.
Using submitted data we have been able to identify new trends in attack data, and therefor find new worms etc. We actually discovered the W32.Leave.Worm.
I can definatly understand your fears to submitting log data however. Perhaps with your suggestions, we could modify the system to make it more appealing.
Slashdot Mirror
As described in an earlier thread (sorry for duplication), but myNetWatchman is affiliated with SANS aswell. DShield IS a great service though, and we've worked together with Johannes on a few projects in the past. Both of these services throw their data to Incidents.Org (SANS).
Although I have a somewhat biased oppinion about this because of my involvement, I tend to disagree. This is exactly the attitude that keeps the internet open to subversive worms. We don't make any money off of this, we do this as a service to the INTERNET as a whole. Also, do you trust SANS? Incidents.Org? If so, than look at it this way. If you trust them, and they trust us, than what makes you believe we're some deviants trying to get your log files etc. for malicious use? Especially considering our close co-operation with law enforcement, and SANS in the past. Especially when we discovered the W32.Leave.Worm. If it had not of been for a service like ours, this worm never would have been discovered because of it's subversive nature, and a couple british coders would have gotten away with tens or even hundreds of thousands of dollers, plus a LARGE (25,000+) Zombie network. I think this justifies what we're doing in and of itself.
I don't understand what your issue with the over 125,000 possible ports is. This is a rounded off, and clean figure. Also note the word "over". Would it be better if we said ; "With TCP and UDP alone, there are exactly 131,072 ports an attacker could use." ? Not quite as clean, and as the other poster said, it needs to be toned down to get the regular home users. The domain name being really "Dumb" is a personal oppinion of yours. And I can assure you we have 1200 ACTIVE (uploaded an incident inside of the past 7 days), and we have NO problem going through 87 - 100 K INDIVIDUAL attack records for every 24 hour period. Trust me, I look at the database, it's all there. =) Glad you like our OS support, and privacy policy though.
In the incidents your IP IS masked. i.e. 172.168.23.* Secondly, Seq #, etc are NOT sent to our database server. This, the IP address cannot be COMPLETELY removed, otherwise we wouldn't be able to track attack patterns emerging across networks etc. Thus the [proven] power to identify new worms, etc. would be seriously hampered.
That's the thing. YOU decide what logs to send out. More often than not, these are the EXTERNAL logs. In the incidents, the 'Agent's IP IS masked.
This has been an issue that has come up repeatedly with regards to myNetWatchman. I am do system development, and incident analysis at the site, as a volunteer.
I am very interested to hear your comments, and conerns. I would like to hear any suggestions to ease your fears to submit data to our site.
Using submitted data we have been able to identify new trends in attack data, and therefor find new worms etc. We actually discovered the W32.Leave.Worm.
I can definatly understand your fears to submitting log data however. Perhaps with your suggestions, we could modify the system to make it more appealing.
Drop my an e-mail at;
psychospy@fatelabs.com
with any suggestions or comments.
Yours truly,
Nathan Einwechter
(PsychoSpy)