The type of profile information you're describing sounds like stuff that snort is pretty good at identifying. As such, I'd suggest you look into snort's database of "attack" signatures and see if it provides a decent starting point for you. Take care, Marti
On Sun, Feb 1, 2009 at 3:27 PM, Daniel Ouellet <dan...@presscom.net> wrote: > Hi, > > Anyone can provide me a list of may be 5 or more good sources of sites that > actually would provide somewhat up to date informations of new compromise > sources of attacks and possibly details as to how to remove them. > > I see regular new source of attacks and at time customers get compromise > and I can see the attack and block them, but finding more details on what it > might be or how to remove it is time consuming and google will time to time > may be provide some details, but most of the time more useless details on it > from various post asking for help more then anything else. > > Is there any good sites that are actually keeping decent somewhat up to > date informations on these that can be refer at to help customers or at a > minimum learn more about new attack in progress. > > Many sites provide more like, new malware name, and what not, but not > really how they go at it or how they are seen on the Internet. > > Example lately there is a bunch of new one, like attack to tcp/5721 or to > tcp/18082. > > I have plenty of honeypot in place, and logged them to syslog, so I can see > them and see new one as they come up. I can notify customers of this and > asking them to clean it up, etc. But in many cases, I can't provide more > details on it, or offer help as to what it might be, or how to removed it. > > I can only block these until the issue is clean, but it would be helpful if > I could provide more details when possible as to what it might be. > > I realize staying on top of this is mostly impossible as it is constantly > changing, but any source that is somewhat up to date would be nice. > > Any suggestions are a valid source of it. > > securityfocus or bug track, etc. They provide informations, yes, but not > in a sample matter like new attack in progress, tcp/xxx, or udp/xxx is > coming near you type of details and as to what it might be and how it could > may be isolated and removed from possible compromise computers. > > Thanks for any clue or details if you know of any. > > Each new one really does take a considerable amount of time, sometime to > find details on and having somewhat some sources that may be tracking this > might be useful and help speedup the process. > > Thanks > > Daniel > > -- Systems Programmer, Principal Electrical & Computer Engineering The University of Arizona ma...@arizona.edu
