Snort mailing list archives
RE: You caught them, what next?
From: "Drew Stockman" <Drew.Stockman () cibmis com>
Date: Wed, 2 Apr 2003 13:36:32 -0600
Depends on what they are doing. If they are scanning or just poking around a bit I usually just throw them into my banned IPs group on the firewall and are done with them. If it looks like a concentrated effort of some kind then I follow up with an email to their ISP. I also tend to scan them back in an effort to get more info about them and in the hope they pick up on it. Most hackers that get scanned by the person they are poking at will get the message that they are caught and will quickly move on. Always be sure to include some logs though. An email message with no logs will most likely just get dumped in the trash. Usually an ISP won't bother replying to you so I wouldn't get my hopes up. As a side note, when I am bored I spend some time trying to get in touch with admins of some of the servers that are infected with a worm and throwing traffic at me. Usually I get no response from these either, but occasionally someone sends a thank you email and I feel like I did my little part to make the internet a better place. Drew Stockman Security Analyst CIBMIS -----Original Message----- From: Tobias Rice [mailto:rice () up edu] Sent: Wednesday, April 02, 2003 11:58 AM To: 'snort-users' Subject: [Snort-users] You caught them, what next? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good morning to you all! I hope that this isn't getting too far off topic, but since we all have this wonderful IDS in place, I'm sure you too are finding lots of people doing things they shouldn't. Which brings me to my question, what now? Other than blocking them at the router, what action should be taken? I often email the isp's technical contact telling them what I found and for them to put an end to it. But is this useful? I've never gotten an email back, and I've sent plenty, which leads me to believe that no action has been taken, it went to the wrong person, or my email (which are pretty curt, see example) has offended the RP and was discarded. What are you all doing about your alerts? [example email.] To Whom It May Concern: One of your customers, 216.243.8.18 (host18.fastdial.net), made 69 attempts to fingerprint my network via NMAP on 2003-04-02 03:43:39 Pacific. Please see to it that this stops immediately. Thank you for your cooperation. [/example email...] Thanks in advance! -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPoskmcNinOuDXR1bEQJxZQCgspaVA+RSZIzeg+hutqOUA/nI1roAn1jS g0POVPrAspbRMNYDs+rJiVnN =9C1U -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- You caught them, what next? Tobias Rice (Apr 02)
- Re: You caught them, what next? Joe Matusiewicz (Apr 02)
- Re: You caught them, what next? Matt Kettler (Apr 02)
- RE: You caught them, what next? Gordon Cunningham (Apr 02)
- Re: You caught them, what next? Michael Boman (Apr 04)
- <Possible follow-ups>
- RE: You caught them, what next? Drew Stockman (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 02)
- RE: You caught them, what next? Brei, Matt (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 02)
- RE: You caught them, what next? FWAdmin (Apr 02)
- RE: You caught them, what next? Brei, Matt (Apr 02)
- Re: You caught them, what next? Jason Haar (Apr 02)
- RE: You caught them, what next? L. Christopher Luther (Apr 03)
- RE: You caught them, what next? Erek Adams (Apr 03)
- RE: You caught them, what next? bmcdowell (Apr 03)
- Re: You caught them, what next? Jason Haar (Apr 03)