Snort mailing list archives

Re: stupid question

From: "james" <hackerwacker () cybermesa com>
Date: Sat, 7 Jun 2003 23:39:20 -0600

I tend to agree with John, with some modifications.

: 1) Get over it. Probes are extremely common, and if you're
: well-protected, view them as so much water off a duck's back and get
: on with your life.

Put you energy into the lost art of host securiy, I would say. Don't
run Snort if you tend to get you knickers in a twist due to every Snort alert.
:
: 2) Gnash your teeth, post messages to various abuse@ and/or
: postmaster@ and/or newsgroups and/or whatever, and never get any real
: satisfaction;

i get 3000-10,000 alterts a day, running Snort on a busy ISP network.
I follow up on the very presistant allacks, like the yahoo's who try to use
formmail over and over and over, 24/7, to send spam. Also I follow up
on attacks that seem serious; ie someone is really trying to crack my hosts
and not just pointing a scanner at me. This is less than 1% of all my alerts.
Keep in mind I use Snort to report alot of things that are not, per se, attacks.

I use my Snort alerts as a guide to indicate where I need to improve
or rethink my network and host security.

: 2.a) Join dshield (http://www.dshield.org/) and sign up for Fight
: Back! and *then* get on with your life...

Our abuse desk loves these kind of reports and we do take action, even
to the point of pulling the plug on a user. So I assume at least a few ISP's do the same &
I submit some of my snort logs to them. I expect little from this and am happy if just one
host is cleaned.

: Personally, I'm in group 1)...

Yep. My goal is to not get hacked, so I get the most bang out of what time I have
by minding my hosts and networks and not firing off useless e-mail.

James Edwards
jamesh () cybermesa com
Routing and Security

-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

stupid question Chris (Jun 06)
- Re: stupid question John Sage (Jun 07)
  - Re: stupid question james (Jun 07)
  - Re: stupid question Jeff Nathan (Jun 08)
- <Possible follow-ups>
- RE: stupid question Chris (Jun 09)