Snort mailing list archives
FW: cultural questions from a newbie
From: <support () nps-dc org>
Date: Tue, 5 Aug 2003 14:03:15 -0400
I think the majority of the infected boxes can be traced back to home broadband users running unpatched MS software without a router betweeen their cable/DSL modem and their WinME box. 'whitehat'/honeypot guys/gals specifically limit the outgoing traffic from their tests. Sending these infected users a notice would be like telling a turtle they've got duck s**t on their shell: 1) they wouldn't really know what to make of it, 2) there's not much the avg. user can do w/o taking the time to d/l the canned fixes from MS, or Symantec, et al. Which, if they had the inclination/clue they'd done by now. Maybe a Win.Messanger svc message to their IP that they're infected... Er wait, they get those all day but to push viagra so they won't care, or trust you. Good luck. Fernando -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ricky Charlet Sent: Tuesday, August 05, 2003 12:01 PM To: snort-users () lists sourceforge net Subject: [Snort-users] cultural questions from a newbie Howdy, OK, I've had snort snorting on my system for about 4 days now. (by the way, count this as a success report on Mac OSX 10.2.6 with snort 2.0.0, clean compile and install - no problems). So WOW! What a lot of attempted attacks there are! Yesterday alone I have 14 attempted attacks and 24 attempted scans. For the 4 days the attacks have been overwhelmingly aimed at MS-SQL server and MS-ISS-ISAPI. The Rule descriptions (SIDs=2003 and 1243) say that the worms "Slammer" and "Code Rode" (respectively) used these vulnerabilities to propagate. So my initial (newbie) assessment is that there are many unpatched, infected systems out there. I would guess that most of the infected systems are run by sys-admins who want to be white-hat guys or gals but are simply unaware that they have an infection. My big question is: what can be done to help the admins of these infected systems? Because these attacks are against MS systems, sending an email to root@<IP_ADDRESS> is very unlikely to reach anyone. It seems to me that we would need the cooperation of each ISP to get a message to the owners of the infected systems. But sending a email to abuse@<ISP> seems a little extreme. Is there any current netequite in the snort community relating to how to get in touch with attacking systems under the assumption that the sysadmin would correct the infection if made aware of it? --- Ricky Charlet rcharlet () alumni calpoly edu 510.324.3163 ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- cultural questions from a newbie Ricky Charlet (Aug 05)
- Re: cultural questions from a newbie Erek Adams (Aug 06)
- Re: cultural questions from a newbie Ricky Charlet (Aug 07)
- <Possible follow-ups>
- FW: cultural questions from a newbie support (Aug 05)
- Re: cultural questions from a newbie JP Vossen (Aug 07)
- Re: cultural questions from a newbie Ricky Charlet (Aug 07)
- Re: cultural questions from a newbie Erek Adams (Aug 06)