Snort mailing list archives
RE: Foreign Attacks (was Re: Firing off Abuse emai l based on Snort Traffic)
From: Jared Ingersoll <jared () cswv com>
Date: Fri, 30 May 2003 11:37:50 -0400
Are there any good resources out there on the net that would list the necessary ip's to block hole everything by North America? This may be useful in some instances. jared -----Original Message----- From: bmcdowell () coxhealthplans com [mailto:bmcdowell () coxhealthplans com] Sent: Friday, May 30, 2003 9:58 AM To: snort-users () lists sourceforge net Subject: Foreign Attacks (was Re: [Snort-users] Firing off Abuse email based on Snort Traffic) I too have noticed that most of the high-scoring offenders appear to be Asian. (Of course, there's no way to know that those Asian haven't been somehow hijacked, but that's another topic...) Since my firm provides a mostly-domestic product, I wonder if it wouldn't be best just to black hole that whole continent. Or, for that matter, everything but North America. It seems extreme, but since it shouldn't necessarily cost me any business, I haven't totally dismissed it yet. As I see it, there is no good reason to pursue (on your own) an attack from outside your native land. I have never imagined myself working hand-in-hand with, say, Korean law enforcement to track down a hacker. Has anyone else on the list had any positive experiences with foreign law enforcement? Does anyone take a different stance toward foreign IP's? Just curious... -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Skip Carter Sent: Thursday, May 29, 2003 8:45 PM To: Matt Howell Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Firing off Abuse email based on Snort Traffic
How do other administrators handle genuine attacks and Portscans from International sources?
Persistant portscans we generally respond to by black holing the address or network at the border routers or firewalls. Other attacks tend to get more attention; it helps if you can engage the assistance of security admins from other Internet locations (we once got the assistance of the US Air Force when one of our investigations and theirs inadvertently crossed paths; they were a great help in shutting down some Korean attacks!). BTW: is anybody else seeing slow scans (3 or 4 addresses per day) apparently coming from Cuba ? Skip -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Confidentiality Notice: This e-mail message (including any attachments) may contain confidential and privileged information, and is for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender by replying to this e-mail message, permanently deleting the original message and destroying any hard copies of the original message that may have been created. ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Foreign Attacks (was Re: Firing off Abuse emai l based on Snort Traffic) Pacheco, Michael F. (May 30)
- Re: Foreign Attacks (was Re: Firing off Abuse email based on Snort Traffic) OT Allan Dover (Jun 04)
- <Possible follow-ups>
- RE: Foreign Attacks (was Re: Firing off Abuse emai l based on Snort Traffic) Jared Ingersoll (Jun 01)