Re: When does a scan attempt become a focused attack?

[Sebastian Schneider <ses () straightliners de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Jimmy,

actually I guess, every machine within the Internet is checked for several 
vulnerabilities over and over again. If your server is not vulnerable to 
those attacks mentioned below, you should focus your IDS to the attacks 
important. That is adjust your snort to match your environment.
It makes no sense to report every attack if you don't need them for 
statistical reasons.

Sebastian

On Tuesday 21 October 2003 23:21, Hunt, Jim wrote:
> I recently set up snort to look for intrusions and am still learning to
> sort out all of my alerts.  However, I have one that has caught my eye
> this afternoon and wonder what to do...
>
> The scan/attack started about 1/2 hour ago and is still continuing as I
> type this out.  The snort box is Windows and the attacker is happily
> trying all the basic attempts over and over.  The pattern looks very
> deliberate.
>
> Here are the exploits -
>
> http://www.snort.org/snort-db/sid.html?sid=1040
> http://www.snort.org/snort-db/sid.html?sid=1002
> http://www.snort.org/snort-db/sid.html?sid=1256
> http://www.snort.org/snort-db/sid.html?sid=983
> http://www.snort.org/snort-db/sid.html?sid=1286
>
> We are at 150+ in 35 minutes.  Does it really do any good to report him?
>
>
> Here is the whois data -
> http://www.dnsstuff.com/tools/whois.ch?ip=!NET-63-126-130-224-1&server=w
> hois.arin.net
>
> What is the correct thing to do?
>
> Jim Hunt
> Certified Network & Systems Engineer
> Northwestern School Corporation
> Technology Services Manager
> http://technology.nwsc.k12.in.us
>
> http://www.ProWinHost.com | Professional Windows Hosting | Professional
> Windows Reselling
> http://www.AlertServ.com | Managed and Incident Windows Server Support |
> Custom Alerting
> http://www.NetMon.org | Network Monitoring Tools and Tutorials |
> Includes MRTG for Dummies
>
>
>
> ----------
> Outgoing mail is certified virus free using Symantec Antivirus & Symantec
> Antivirus for Microsoft Exchange. Northwestern School Corporation - Kokomo,
> Indiana
>
>
>
> ---------------------------------------------------------------------------
> Visual & Easy-to-use are not words that you think of when talking about
> network analyzers. Are you sick of the three window text decodes? Download
> ClearSight Network's Analyzer and see a new network analysis tool that
> makes the complex - easy
> www.clearsightnet.com/jmp6-downloadtrial.jsp
> ---------------------------------------------------------------------------
> -

- -- 

Sebastian Schneider
straightLiners IT Consulting & Services
Metzer Str. 12
13595 Berlin
Germany

Fon: +49-30-3510-6168
Fax: +49-30-3510-6169
www.straightliners.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/lppYQ7mOWZBxbPcRApqnAJ4+fOgwmdFXxIgPGOSEX1hK/6Q9DQCgyRoQ
K4Gwij2gMpmC1guWlndr6V0=
=v8t0
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------