[nsp-sec] Changes Coming

Dave Monnier dmonnier at cymru.com
Mon Feb 25 13:28:57 EST 2013 

Hi, Hank.

Thanks for your feedback.  We'll investigate sending an email to notify
users when a report is available for them.

When analyzing how people were using the daily reports we found that by
far most users were retrieving reports for their ASN every day (and in
some cases trying every hour) regardless of an ASN alerts email being
sent and that most people pulled down a 404 message.  The previous
system had one report file per category, per ASN as well. This resulted
in many, many requests on our side that were primarily 404's.  It seems
the majority of users were/are okay with fetching reports daily and
automatically.

For history, there are at least 5 days of available reports that can be
pulled down.  This should match the ASN alerts / Daily reports history.

I've you can forward to me the text report that shows an Openresolver
that's not visible in the UI we can investigate why. Also, CC as you
mention isn't command and control but rather a sorting option by country
code (CC).

We'll let you know as soon as possible about an email alerting option.

Thanks,
-Dave


On 2/24/13 12:04 AM, Hank Nussbacher wrote:
> 
> First off, I would like to thank Team Cymru for providing this free
> service to the community for many years.  It has proven invaluable in
> our efforts to stamp out malware.
> 
> Having played a bit more now with TcConsole, IMHO, you cancelled the
> wrong system.  The Daily Reports are "pushed" to us - if I am have a
> phishing problem in my network, I see that report in the morning.  Same
> goes for malware or openresolver or any other category.  But with
> TcConsole, nothing is pushed to me.  I have to actively go to the
> website and check what is new today as opposed to yesterday.  This in
> itself will cause more "badness" to go unhandled by the memberws of
> nsp-sec.
> 
> The website is somewhat slow to respond.  It only shows IPs for the past
> 24 hours.  CC appears to not be C&C but rather something else, since
> every time I have had a spam IP report, I have an exact match in the
> number of CCs listed.
> 
> If I ignore the GUI which I don't really need (more suited for newbies)
> and focus on something like:
> https://www.tcconsole.com/export/20130223/malevolence.txt
> Suddenly in this report I see there is an Openresolver than is not
> viewable by the GUI.  I also don't know how far back the exported
> reports will go since it only started as of 6 days ago.
> 
> So what this means is I have to create a script to every day go to
> malevolence .txt file to see what is new for my ASN.
> 
> I'll use it but am disappointed.
> 
> Regards,
> Hank
> 



-- 
Dave Monnier
Team Cymru
https://www.team-cymru.org/
PGP: https://www.cymru.com/dmonnier/0x7C1AAE55_pub.asc


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20130225/f62ab5a1/attachment-0001.sig>

More information about the nsp-security mailing list