Re: "Who else picked this one up?"

["Marcus J. Ranum" <mjr () nfr net>]

Philip S Holt, Security Engineer / Network Engineer wrote:
>    BO PING sweep attempted by 195.99.61.138 
>    BO TYPE_HTTPENABLE attempted by 195.99.61.138 
[...]

A few of us (some folks on the list and some of the folks at
NFR) have been looking into adding a feature in the next version
of Back Officer to allow someone to publish these kinds of
records (potentially with a hashed IP address instead of the
real one) to a central location for statistics, forensics,
and to share within the security community. This would, I
must _emphasize_, not, I repeat _NOT_ be automatic and would
require configuration and a passcode exchange between the
repository and the desktop user.

Anyone got thoughts they'd like to share about some of the
information that might be worth gathering? We thought we'd
start by correlating class C networks, correlating reverse
lookups of domains, correlating type of service swept/probed,
as well as (sometimes) parameters. I guess we're still at
the "scratching our heads and thinking over the issues" phase.
We're aware of the CIDF work that IETF and others are doing,
but don't want to do anything near as topheavy. I guess the
goal of the project would be to get some statistics about how
bad the scanning rate _is_ out there. From what we've learned
by releasing BOF it's _LOTS_ worse than I thought.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr