Snort mailing list archives
Re: You caught them, what next?
From: Joe Matusiewicz <joem () nist gov>
Date: Wed, 02 Apr 2003 14:32:18 -0500
At 12:57 PM 4/2/03, Tobias Rice wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good morning to you all!I hope that this isn't getting too far off topic, but since we all have this wonderful IDS in place, I'm sure you too are finding lots of people doing things they shouldn't. Which brings me to my question, what now? Other than blocking them at the router, what action should be taken? I often email the isp's technical contact telling them what I found and for them to put an end to it. But is this useful? I've never gotten an email back, and I've sent plenty, which leads me to believe that no action has been taken, it went to the wrong person, or my email (which are pretty curt, see example) has offended the RP and was discarded. What are you all doing about your alerts?
There's not a whole lot you can do. It's a judgement call if you want to contact the ISP, who most likely will do nothing, especially if they're overseas. Some ISPs will send out a warning letter to their customer telling them not to do it again. If it's a conscientious company they will probably thank you if you alert them to the fact that one of their hosts was r00ted. But then again maybe not. From my perspective, it would be a full time job to send email to everyone who scans my network. IDS sensors outside your firewall should not be your primary concern. IDS sensors going off inside your firewall should be given much closer inspection.
My 2 lincolns.... -- Joe -------------------------------------------------------This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- You caught them, what next? Tobias Rice (Apr 02)
- Re: You caught them, what next? Joe Matusiewicz (Apr 02)
- Re: You caught them, what next? Matt Kettler (Apr 02)
- RE: You caught them, what next? Gordon Cunningham (Apr 02)
- Re: You caught them, what next? Michael Boman (Apr 04)
- <Possible follow-ups>
- RE: You caught them, what next? Drew Stockman (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 02)
- RE: You caught them, what next? Brei, Matt (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 02)
- RE: You caught them, what next? FWAdmin (Apr 02)
- RE: You caught them, what next? Brei, Matt (Apr 02)
- Re: You caught them, what next? Jason Haar (Apr 02)
(Thread continues...)