[Emerging-Sigs] Properly handling dynamic IP rules (compromised, botcc, etc)

Joe Pampel jpampel at paladyne.com
Mon Oct 11 11:49:30 EDT 2010

Team Cymru runs bogon route servers which dynamically updates (via BGP) routing tables for unallocated prefixes. Seems to be a sensible model for quick updates.  (and if you're not using it, you probably should. Disclaimer:  I use it & I am a big fan.)  What I mean is provide a BGP peering session for "bad" prefixes.

Not sure if this is something they would be able to assist with or if it's a path that is worth looking into for someone else. If you're really talking about null routing people, why have the IDS do it when you have routers already?  Save cycles for all the cool stuff that only the IDS can do...

JM2C, ICBW, YMMV and the usual disclaimers apply . . .

On Oct 11, 2010, at 11:15 AM, Korodev wrote:

>> Hmmm, good point there. If the list of ips decreases significantly then the end of the range rules are going to never update as a new rev will not be released.
> Will there be any changes to the way the IP list rules are managed,
> updated, and distributed in the new ruleset?
> Did we ever reach a solution on distributing IP's across a set number
> of rules to prevent sid'less alerts when the IP lists shrink? This
> seems like a good time to address these along with the current
> changes.
> \\korodev
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

The information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s).

More information about the Emerging-sigs mailing list