[Snort-users] Incident Reporting--The When and How
Keith.Pachulski at ...222...
Tue Aug 1 08:43:45 EDT 2000
Response and reporting of events will normally vary. I personally ignore
things like a single ping sweep or a search of an entire class C for a
single trojan. When the single sweep comes in its nice to have the source
logged and documented somewhere for future comparision. If the source
returns again looking for something then more action may be needed.
If multplie scans for exploitable services are constantly coming in, I may
blackhole the source temporaily and contact the source or the sources
If one of my servers are under attack (Denial of Service) I may deny all
traffic to the destination, I will contact the source or their upstream
If a source or multiple sources are targeting a specific service that is
operating on one of my servers, then of course thats a different story. For
example, if I see a few triggers from one of my mail servers either from
snort of one of the other IDS's running, I`ll take more notice of those
connections and depending on my gut I`ll either temporarily blackhole the
source or block access to the smtp service. Again, either contact the source
or their upstream.
I like to use the CyCon model for response escalation, my comments are in
> Level 1: noise level, no detected scans (always at level one)
> Level 2: unauthorized scans, sporadic attacks detected (log and report to
source or upstream)
> Level 3: coordinated hack attempts (log, deny to destination, contact
source or upstream)
> Level 4: successful attacks detected, containment, eradication and
recovery necessary (deny to destination until secured, log, contact source
> Level 5: under heavy assault, facility shutdown required (self explanatory
- log, contact source or upstream)
As far as ISP's are concerned I`ve had some which were very cooperative and
then some who simply hung up on me and refused to speak to me again. I
prefer calling the ISP's and speaking which either the head engineer or a
The policy with most ISP's is suppose to be email abuse at ...223...
<mailto:abuse at ...223...> and simply forget it. You might want to give
them a follow up call and speak with whomever takes care of abuse (or the
head engineeer or a security engineer). The problem with abuse is that they
get flooded with things like portscan logs from end user PC's running
personal firewall which go off for every damn packet
(*cough*Black*cough*Ice*cough*) or logs of people fighting on IRC. When a
log of a user on their network attempting to exploit or successfulling
exploiting a service on your servers is sent in, it gets lost in the flood
hopefully this made since because i`ve yet to have my morning coffee
From: Steve Halligan [mailto:agent33 at ...187...]
Sent: Monday, July 31, 2000 1:10 PM
To: Snort-Users (E-mail)
Subject: [Snort-users] Incident Reporting--The When and How
-----BEGIN PGP SIGNED MESSAGE-----
I would be very interested in sampling opinion on Incident Reporting
policies. To this point, my personal policy is to review my snort
logs, decide whether something in there has made me pissed off, and if
so, send a nasty-gram to the appropriate abuse contact. I need to
- - -What types of activity should "piss me off"? A portscan of a
port on my entire subnet? An intrusion attempt on a service I don't
actually have? Obviously I get grumpy if I see a full blown scan or
an attempt at something I am actually running, but what "lesser evils"
should encourage me to take action. I feel some sense of
responsiblity to rat out the guy who made an attempt against something
I don't really have, so that the other guy down the line who does is
safe from him. I realize that there is only so much one can do, and
even if you do manage to get someone kicked off their ISP, they will
just go get another, but at least I caused them some hassle.
- - -I also find that abuse reports often get ignored by ISP's. To what
extent should I bug an ISP when one of their clients is doing naughty
things? Send that first report email and then forget about it?
Follow up at some point? Is there a higher power to resort to?
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users