IDS, ARIN, and Nastygrams

amt has asked for the wisdom of the Perl Monks concerning the following question:

Gentlemen,

I am trying to implement an automatic nastygram delivery script for an intrusion detection system. I have been examining Net::Whois::Arin because it gives me information based upon IP addresses, which the IDS maintains for all events.

The problem is that Net::Whois::Arin does not provide an interface to ARIN's OrgAbuseEmail, if it even exists for that entry.

I was considering using Net::Whois::ARIN in combination with Net::Whois to ascertain a contact email address to send a canned C&D letter, but I was curious as to other people's thoughts before proceeding.

Update:Here is some code to go with that, and combine it with Snort data_payload decoding ;)

#!/usr/bin/perl -w

use Net::Whois;
use Net::Whois::Arin;
use Carp;

my $ip = shift;
my ($domain, $isp);

my $w = Net::Whois::ARIN->new(
                host => 'whois.arin.net',
                port => 43,
                timeout => 30 );

my @output = $w->network($ip);

foreach my $r (@output){
        if($r->NameServer){
                $isp = sprintf("%s", $r->NameServer);
                my $w = new Net::Whois::Domain $isp
                        or die "Cannot Connect to WHOIS server!\n";
                unless( $w->ok ) { croak "No match for $company\n"; }

                print "Domain: ", $w->domain, "\n";
                } else { next; }
        }

exit;
[download]

amt.

perlcheat

Comment on IDS, ARIN, and Nastygrams Download Code

Replies are listed 'Best First'.
Re: IDS, ARIN, and Nastygrams by tachyon (Chancellor) on Oct 13, 2004 at 00:52 UTC
It is trivial to parse the result for all the available emails. You can then take your pick. If you are going to make automatic responses you should be careful not to accidentally mail bomb the destination server(s). To avoid this you need to rate limit your responses to any given email address/domain. `use Net::Whois::ARIN; my $w = Net::Whois::ARIN->new( host => 'whois.arin.net', port => 43, timeout => 30, ); my $result = $w->query( '207.173.0.0' ); my %emails = $result =~ m/^(\wEmail):\s(\S+)/mg; use Data::Dumper; print Dumper \%emails; __DATA__ $VAR1 = { 'TechEmail' => 'ipadmin@eli.net', 'OrgTechEmail' => 'support@eli.net', 'AbuseEmail' => 'abuse@support.eli.net', 'OrgAbuseEmail' => 'abuse@support.eli.net', 'NOCEmail' => 'support@eli.net' };` [download] cheers tachyon	[reply] [d/l]
Re^2: IDS, ARIN, and Nastygrams by amt (Monk) on Oct 13, 2004 at 17:24 UTC
Gentlemen, I am writing this follow up to tell you that I had more sucess with Net::Whois::Ip. Below is that code that provided the solution. `my $response = whoisip_query($ip); # Query the ARIN Database foreach (sort keys(%{$response}) ) { $OrgAbuseEmail = $response->{$_} if( $_ eq 'OrgAbuseEmail'); $OrgTechEmail = $response->{$_} if( $_ eq 'OrgTechEmail'); $TechEmail = $response->{$_} if( $_ eq 'TechEmail'); } $smtp = Net::SMTP->new("mymailhost", Timeout => 60); if( $OrgAbuseEmail ){ #lather with Net::SMTP exit; } elsif( $OrgTechEmail ){ #rinse } elsif( $TechEmail ){ #repeat }` [download] amt. perlcheat	[reply] [d/l]
Re: IDS, ARIN, and Nastygrams by gellyfish (Monsignor) on Oct 13, 2004 at 08:56 UTC
As well as (or instead of) querying the ARIN database you might consider using the `whois.abuse.net` database which will return the abuse report address(es) for a given domain. /J\	[reply] [d/l]
Re: IDS, ARIN, and Nastygrams by DrHyde (Prior) on Oct 13, 2004 at 09:14 UTC
Two problems: first, if you're just going to query ARIN before sending nastygrams, then RIPE will hate you, because ARIN think that huge chunks of address space belong to RIPE when they don't. I assume that they think the same about APNIC and LACNIC too. Second, automated nastygrams are Just Wrong. You can, of course, automate whatever you want within your network, including blocking great big chunks of addresses, but if you send out nastygrams without detailed human checking, then prepare yourself to be blocked in turn as an abusive network.	[reply]