Snort mailing list archives

RE: You caught them, what next?

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Wed, 2 Apr 2003 15:02:29 -0500

With IIS, 4.x at least, all log date/time is written in GMT standard w/ no
reference to TZ, and from my playing with older versions of Apache and
iPlanet, they too seem to lack TZ information.  
 
With Snort one could probably create a small patch to query the underlying
O/S for the TZ and write it as a part of the output to the alert facility,
at least syslog and the fast/full logs files.  
 
Just my $0.02... 
 

-----Original Message-----
From: Brei, Matt [mailto:mbrei () medclaiminc com]
Sent: Wednesday, April 02, 2003 2:56 PM
To: L. Christopher Luther; Tobias Rice
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] You caught them, what next?



How would one go about logging the TZ info.  I too was wondering about that.


 

-----Original Message-----
From: L. Christopher Luther [mailto:CLuther () Xybernaut com] 
Sent: Wednesday, April 02, 2003 2:42 PM
To: 'Tobias Rice'
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] You caught them, what next?

 

To add to your "I often email the isp's ...' thought, early last week one of
my web servers sustained a 1.5 hour "attack" from some script kiddie on the
Road Runner cable network.  I e-mailed RR's abuse/security folks but was
told "Your logs must contain the following information in order for Road
Runner to process them, included within the email...":

  Date of Incident 
  Time of Incident 
  Time Zone that logs are captured in 
  Source IP Address or Host Name 
  Destination IP Address or Host Name 
  Destination Port 

I gave them *everything* in the logs but the TZ information because,
unfortunately, neither Snort nor my web server capture the TZ information in
their logs.  I did give them the TZ information in the e-mail I sent.  

And what did I get back?  The same message again.  This exchange went
bacn-n-forth a couple of time, and each time I received the exact canned
reply.  

Basically it appears that RR is not willing to do anything to their paying
customers unless *all* the requested is included in the logs.  So I've given
up on attempting to get the ISP to do anything, well at least RR.  

 

-----Original Message----- 
From: Tobias Rice [ mailto:rice () up edu <mailto:rice () up edu> ] 
Sent: Wednesday, April 02, 2003 12:58 PM 
To: 'snort-users' 
Subject: [Snort-users] You caught them, what next? 

 


-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 

Good morning to you all! 
I hope that this isn't getting too far off topic, but since we all have this
wonderful IDS in place, I'm sure you too are finding lots of people doing
things they shouldn't. Which brings me to my question, what now?

Other than blocking them at the router, what action should be taken? I often
email the isp's technical contact telling them what I found and for them to
put an end to it. But is this useful? I've never gotten an email back, and
I've sent plenty, which leads me to believe that no action has been taken,
it went to the wrong person, or my email (which are pretty curt, see
example) has offended the RP and was discarded. What are you all doing about
your alerts?

[example email.] 

To Whom It May Concern: 
One of your customers, 216.243.8.18 (host18.fastdial.net), made 69 attempts
to fingerprint my network via NMAP on 2003-04-02 03:43:39 Pacific. Please
see to it that this stops immediately. Thank you for your cooperation.

[/example email...] 

Thanks in advance! 

-----BEGIN PGP SIGNATURE----- 
Version: PGP 8.0 

iQA/AwUBPoskmcNinOuDXR1bEQJxZQCgspaVA+RSZIzeg+hutqOUA/nI1roAn1jS 
g0POVPrAspbRMNYDs+rJiVnN 
=9C1U 
-----END PGP SIGNATURE----- 

 

------------------------------------------------------- 
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server 
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
<http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/>  
_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users>  
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>

Current thread:

You caught them, what next? Tobias Rice (Apr 02)
- Re: You caught them, what next? Joe Matusiewicz (Apr 02)
- Re: You caught them, what next? Matt Kettler (Apr 02)
  - RE: You caught them, what next? Gordon Cunningham (Apr 02)
- Re: You caught them, what next? Michael Boman (Apr 04)
- <Possible follow-ups>
- RE: You caught them, what next? Drew Stockman (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 02)
- RE: You caught them, what next? Brei, Matt (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 02)
- RE: You caught them, what next? FWAdmin (Apr 02)
- RE: You caught them, what next? Brei, Matt (Apr 02)
  - Re: You caught them, what next? Jason Haar (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 03)
  - RE: You caught them, what next? Erek Adams (Apr 03)
- RE: You caught them, what next? bmcdowell (Apr 03)
  - Re: You caught them, what next? Jason Haar (Apr 03)