[feedback-report] Let's get started
Markus Stumpf
lists-ietf.org-abuse-feedback-report at maexotic.de
Thu Dec 10 15:39:14 PST 2009
On Thu, Dec 10, 2009 at 10:09:08AM -0800, Murray S. Kucherawy wrote:
> c) SSH attacks
> d) FTP attacks
> e) Web server attacks
I guess <protocol> attack types are to unspecific in general.
A lot of attacks are eg. password breaking attacks which apply to
a lot of protocols like ssh, ftp, http, pop3, imap, smtp (auth), ldap, ...
So I guess it would be more useful to have something like
"password breakin" as type for the template and a "protocol" field for
more specific information.
Same for port scans. I'd use this as the type and the protocols probed
as an additional information.
This probably also helps in merging incidents. One could use
"port scan" and group it by source IP address with additional
information about protocols/services and the IP address range
probed. Grouping by protocol would cause more indicent reports
to be generated.
\Maex
More information about the abuse-feedback-report
mailing list