Snort mailing list archives
cultural questions from a newbie
From: Ricky Charlet <rcharlet () speakeasy net>
Date: Tue, 5 Aug 2003 09:01:03 -0700
Howdy,OK, I've had snort snorting on my system for about 4 days now. (by the way, count this as a success report on Mac OSX 10.2.6 with snort 2.0.0, clean compile and install - no problems).
So WOW! What a lot of attempted attacks there are! Yesterday alone I have 14 attempted attacks and 24 attempted scans. For the 4 days the attacks have been overwhelmingly aimed at MS-SQL server and MS-ISS-ISAPI. The Rule descriptions (SIDs=2003 and 1243) say that the worms "Slammer" and "Code Rode" (respectively) used these vulnerabilities to propagate.
So my initial (newbie) assessment is that there are many unpatched, infected systems out there. I would guess that most of the infected systems are run by sys-admins who want to be white-hat guys or gals but are simply unaware that they have an infection.
My big question is: what can be done to help the admins of these infected systems? Because these attacks are against MS systems, sending an email to root@<IP_ADDRESS> is very unlikely to reach anyone. It seems to me that we would need the cooperation of each ISP to get a message to the owners of the infected systems. But sending a email to abuse@<ISP> seems a little extreme. Is there any current netequite in the snort community relating to how to get in touch with attacking systems under the assumption that the sysadmin would correct the infection if made aware of it?
--- Ricky Charlet rcharlet () alumni calpoly edu 510.324.3163 ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- cultural questions from a newbie Ricky Charlet (Aug 05)
- Re: cultural questions from a newbie Erek Adams (Aug 06)
- Re: cultural questions from a newbie Ricky Charlet (Aug 07)
- <Possible follow-ups>
- FW: cultural questions from a newbie support (Aug 05)
- Re: cultural questions from a newbie JP Vossen (Aug 07)
- Re: cultural questions from a newbie Ricky Charlet (Aug 07)
- Re: cultural questions from a newbie Erek Adams (Aug 06)