RE: You caught them, what next?

["Brei, Matt" <mbrei () medclaiminc com>]

How do you set Snort to GMT?

 

-----Original Message-----
From: FWAdmin [mailto:FWAdmin () nbpower com] 
Sent: Wednesday, April 02, 2003 3:18 PM
To: Brei, Matt
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] You caught them, what next?

 

I just set all of our security devices to GMT. That way there's no contention.

 

        -----Original Message-----
        From: Brei, Matt [mailto:mbrei () medclaiminc com] 
        Sent: April 2, 2003 15:56
        To: L. Christopher Luther; Tobias Rice
        Cc: Snort-Users (E-mail)
        Subject: RE: [Snort-users] You caught them, what next?

        How would one go about logging the TZ info.  I too was wondering about that.  

         

        -----Original Message-----
        From: L. Christopher Luther [mailto:CLuther () Xybernaut com] 
        Sent: Wednesday, April 02, 2003 2:42 PM
        To: 'Tobias Rice'
        Cc: Snort-Users (E-mail)
        Subject: RE: [Snort-users] You caught them, what next?

         

        To add to your "I often email the isp's ...' thought, early last week one of my web servers sustained a 1.5 
hour "attack" from some script kiddie on the Road Runner cable network.  I e-mailed RR's abuse/security folks but was 
told "Your logs must contain the following information in order for Road Runner to process them, included within the 
email...":

          Date of Incident 
          Time of Incident 
          Time Zone that logs are captured in 
          Source IP Address or Host Name 
          Destination IP Address or Host Name 
          Destination Port 

        I gave them *everything* in the logs but the TZ information because, unfortunately, neither Snort nor my web 
server capture the TZ information in their logs.  I did give them the TZ information in the e-mail I sent.  

        And what did I get back?  The same message again.  This exchange went bacn-n-forth a couple of time, and each 
time I received the exact canned reply.  

        Basically it appears that RR is not willing to do anything to their paying customers unless *all* the requested 
is included in the logs.  So I've given up on attempting to get the ISP to do anything, well at least RR.  

         

        -----Original Message----- 
        From: Tobias Rice [mailto:rice () up edu] 
        Sent: Wednesday, April 02, 2003 12:58 PM 
        To: 'snort-users' 
        Subject: [Snort-users] You caught them, what next? 

         

        
        -----BEGIN PGP SIGNED MESSAGE----- 
        Hash: SHA1 

        Good morning to you all! 
        I hope that this isn't getting too far off topic, but since we all have this wonderful IDS in place, I'm sure 
you too are finding lots of people doing things they shouldn't. Which brings me to my question, what now?

        Other than blocking them at the router, what action should be taken? I often email the isp's technical contact 
telling them what I found and for them to put an end to it. But is this useful? I've never gotten an email back, and 
I've sent plenty, which leads me to believe that no action has been taken, it went to the wrong person, or my email 
(which are pretty curt, see example) has offended the RP and was discarded. What are you all doing about your alerts?

        [example email.] 

        To Whom It May Concern: 
        One of your customers, 216.243.8.18 (host18.fastdial.net), made 69 attempts to fingerprint my network via NMAP 
on 2003-04-02 03:43:39 Pacific. Please see to it that this stops immediately. Thank you for your cooperation.

        [/example email...] 

        Thanks in advance! 

        -----BEGIN PGP SIGNATURE----- 
        Version: PGP 8.0 

        iQA/AwUBPoskmcNinOuDXR1bEQJxZQCgspaVA+RSZIzeg+hutqOUA/nI1roAn1jS 
        g0POVPrAspbRMNYDs+rJiVnN 
        =9C1U 
        -----END PGP SIGNATURE----- 

         

        ------------------------------------------------------- 
        This SF.net email is sponsored by: ValueWeb: 
        Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
        No other company gives more support or power for your dedicated server 
        http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ 
        _______________________________________________ 
        Snort-users mailing list 
        Snort-users () lists sourceforge net 
        Go to this URL to change user options or unsubscribe: 
        https://lists.sourceforge.net/lists/listinfo/snort-users 
        Snort-users list archive: 
        http://www.geocrawler.com/redir-sf.php3?list=snort-users 


------------------------- 

This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to 
which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of 
this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or 
taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, 
please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. 
Your co-operation is appreciated. 


Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou 
un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire 
du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou 
d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent 
courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute 
copie électronique ou imprimée de celui-ci, immédiatement. Nous sommes reconnaissants de votre collaboration.