Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: cultural questions from a newbie

From: Erek Adams <erek () snort org>
Date: Wed, 6 Aug 2003 09:39:25 -0400 (EDT)
On Tue, 5 Aug 2003, Ricky Charlet wrote:


      OK, I've had snort snorting on my system for about 4 days now. (by the
way, count this as a success report on Mac OSX 10.2.6 with snort 2.0.0,
clean compile and install - no problems).


Schweet!  :)


      So WOW! What a lot of attempted attacks there are! Yesterday alone I
have 14 attempted attacks and 24 attempted scans. For the 4 days the
attacks have been overwhelmingly aimed at MS-SQL server and
MS-ISS-ISAPI. The Rule descriptions (SIDs=2003 and 1243) say that the
worms "Slammer" and "Code Rode" (respectively) used these
vulnerabilities to propagate.


Welcome to our world.  :)  It's kinda like having a pair of really, really
dark shades removed....


      So my initial (newbie) assessment is that there are many unpatched,
infected systems out there. I would guess that most of the infected
systems are run by sys-admins who want to be white-hat guys or gals but
are simply unaware that they have an infection.


Errrr...  I think you're giving them too much credit.  For the most part,
your "normal" user has no concept of Security, patching, advisories,
vendor notices, or anything along those lines.  It's the "turn it on, and
it works" mentality.  We've been clicked and dragged into a point-n-drool
generation courtesy of <insert Microsoft bash here>.


      My big question is: what can be done to help the admins of these
infected systems?


Install OpenBSD on them.  ;-)


Because these attacks are against MS systems, sending an email to
root@<IP_ADDRESS> is very unlikely to reach anyone. It seems to me that
we would need the cooperation of each ISP to get a message to the owners
of the infected systems. But sending a email to abuse@<ISP> seems a
little extreme. Is there any current netequite in the snort community
relating to how to get in touch with attacking systems under the
assumption that the sysadmin would correct the infection if made aware
of it?


Honestly, there's not too much you can do.  You could look up the contacts
for the domain and make a phone call, but that has limited success.  Email
is almost useless for the majority of those.  If it's coming from a
DSL/Cable modem....  Just forget it.  No one will care or even understand
what you are telling them--And you'd never get to the end user anyway.
:-/

Yeah, it sucks.   That's the sad part about becoming "clueful" and
understanding what's going on--You see so much of the failures of others,
you start to wonder "Why did I even do this?"

Cheers!  (And yes, I'm feeling a bit cynical this morning....)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: