Snort mailing list archives
Re: I'm being attacked, now what?
From: Paulie <paulie () hayseed net>
Date: Fri, 15 Jun 2001 12:38:03 -0700 (PDT)
You could always write a script that scanned the logs for some criteria and then kicked an email to the technical contact of the organizaion maintaining the ip address space (via a whois () arin net, or apnic, or...). I had good luck with this back in the SMURF hayday. Prolly wanna be careful re: the amount of SPAM you generate tho. But in the long run it seems like the IDS' purpose is to keep you informed. Its been a paranoia inducing addition to my network but I'd rather be aware of the kinds of probes I'm getting hit with etc than not. Its not really like a firewall where you can point to it and say "its blocking packets". Its more of a info gathering tool. An alarm rather than a barrier. My 2 cents. Paul On Fri, 15 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
I wanted to get some feedback from others out there on how they handle attacks, whether successful or unsuccessful. I see what appears to be valid attacks in small numbers from random machines. Occasionally, I see tons of different attacks coming from ONE machine. Though all attacks are unsuccessful, when does someone scream to the ISP to tell them to stop their client, and when does one just ignore it? It would obviously be VERY time consuming (and a waste of time) to send complaints to every ISP. What do people recommend out there....maybe only send a complaint when attacks from one node become ridiculously large, or if they successfully break in? The logs are nice to have, but I know management will ask what are we doing about the attacks we are seeing and what is the time you are spending maintaining the IDS server doing for the company? Thanks _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I'm being attacked, now what? Sheahan, Paul (PCLN-NW) (Jun 15)
- Re: I'm being attacked, now what? Paulie (Jun 15)
- Re: I'm being attacked, now what? Bob Staaf (Jun 15)
- <Possible follow-ups>
- RE: I'm being attacked, now what? Sheahan, Paul (PCLN-NW) (Jun 15)
- Re: I'm being attacked, now what? Bob Staaf (Jun 15)
- Re: I'm being attacked, now what? Tremaine Lea (Jun 15)
- Re: I'm being attacked, now what? Bob Staaf (Jun 15)
- RE: I'm being attacked, now what? Sheahan, Paul (PCLN-NW) (Jun 15)
- RE: I'm being attacked, now what? Ryan Russell (Jun 18)