Snort mailing list archives
Re: stupid question
From: "james" <hackerwacker () cybermesa com>
Date: Sat, 7 Jun 2003 23:39:20 -0600
I tend to agree with John, with some modifications. : 1) Get over it. Probes are extremely common, and if you're : well-protected, view them as so much water off a duck's back and get : on with your life. Put you energy into the lost art of host securiy, I would say. Don't run Snort if you tend to get you knickers in a twist due to every Snort alert. : : 2) Gnash your teeth, post messages to various abuse@ and/or : postmaster@ and/or newsgroups and/or whatever, and never get any real : satisfaction; i get 3000-10,000 alterts a day, running Snort on a busy ISP network. I follow up on the very presistant allacks, like the yahoo's who try to use formmail over and over and over, 24/7, to send spam. Also I follow up on attacks that seem serious; ie someone is really trying to crack my hosts and not just pointing a scanner at me. This is less than 1% of all my alerts. Keep in mind I use Snort to report alot of things that are not, per se, attacks. I use my Snort alerts as a guide to indicate where I need to improve or rethink my network and host security. : 2.a) Join dshield (http://www.dshield.org/) and sign up for Fight : Back! and *then* get on with your life... Our abuse desk loves these kind of reports and we do take action, even to the point of pulling the plug on a user. So I assume at least a few ISP's do the same & I submit some of my snort logs to them. I expect little from this and am happy if just one host is cleaned. : Personally, I'm in group 1)... Yep. My goal is to not get hacked, so I get the most bang out of what time I have by minding my hosts and networks and not firing off useless e-mail. James Edwards jamesh () cybermesa com Routing and Security ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stupid question Chris (Jun 06)
- Re: stupid question John Sage (Jun 07)
- Re: stupid question james (Jun 07)
- Re: stupid question Jeff Nathan (Jun 08)
- <Possible follow-ups>
- RE: stupid question Chris (Jun 09)
- Re: stupid question John Sage (Jun 07)