Snort mailing list archives
Action Recommendations
From: "Jarret Gibson" <jarret () osa comax com>
Date: Sun, 27 Oct 2002 13:20:04 -0500
My network servers, like many others, are being pounded on port 80 with all types of various iis and php exploits. I've eliminated all of the false alarms and made certain that they systems are updated and secure from the attacks I'm seeing. What should I do next? - Suppose the attack came from 20.20.20.1. I'm assuming I should block the offending IP address at the firewall, but should I block just that one IP, or should I block the entire subnet it is on? Yeah, I'm aware that dialup users or some office folk can very easily switch to another IP, which is why I wonder if I should ban a whole range or not. But, obviously, if some AOL user tried something, you wouldn't want to ban all AOL addresses. - Should I bother with reporting these security problems to the offending person's ISP / office? I've heard most of you say that people rarely (if ever) do anything about the script kiddies / hackers when you report them. - What other actions should I take? Jarret Gibson
Current thread:
- Action Recommendations Jarret Gibson (Oct 27)
- Re: Action Recommendations Steve Suehring (Oct 27)
- <Possible follow-ups>
- Re: Action Recommendations Justin Jessup (Oct 27)
- Re: Action Recommendations twig les (Oct 28)
- Re: Action Recommendations Glenn Forbes Fleming Larratt (Oct 31)
- Tell the ISP- it will create change Gregory W. Ratcliff (Nov 03)
- Re: Action Recommendations twig les (Oct 28)
- Re: Action Recommendations Margles Singleton (Nov 11)