[IntelMQ-users] More specific CIDRs from a different country from RIPE?

[Sebastian Wagner]

Dear Bernhard,

On 2/11/21 11:10 AM, Bernhard Reiter wrote:
> if you are responsible to only deal with reports for a country

The scope "for a country" is unfortunately not as clear as it may sound.
Organizations in a country can have (some) resources (domains, IP
addresses) in other countries, but are still part of your constituency.
This become especially important with organizations moving to the cloud.

For example, the Austrian company OMV has the domain omv.com and the IP
address behind is located in Canada. Still, the company is part of
our[0] constituency.

> and base your decisions on the RIPE database, 
> how do you deal with more specific CIDRs that are from a different country, 
> but within a CIDR that belongs to yours?

In general, most specific wins. That's what the entry in RIPE is for. If
there are other indications that the organization in a different country
needs to be contacted, for example because the .at TLD is used, we send
the reports to foreign organizations as well.

But: If in doubt, better send out more reports rather than too few.

We (as CERT.at, not IntelMQ) have also received the feature request
once, that an upstream provider wants to receive copies of the reports a
sub-provider (who has it's own RIPE entries) receives. However, we
haven't implemented that yet.

best regards
Sebastian

[0] to be more specific: the constituency of the Austrian Energy CERT

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20210212/6c3f84ee/attachment.sig>