[Snort-users] Incident Reporting--The When and How

Steve Halligan agent33 at ...187...
Mon Jul 31 13:10:20 EDT 2000

Hash: SHA1

I would be very interested in sampling opinion on Incident Reporting
policies.  To this point, my personal policy is to review my snort
logs, decide whether something in there has made me pissed off, and if
so, send a nasty-gram to the appropriate abuse contact.  I need to
formalize this.  

- - -What types of activity should "piss me off"?  A portscan of a
port on my entire subnet?  An intrusion attempt on a service I don't
actually have?  Obviously I get grumpy if I see a full blown scan or
an attempt at something I am actually running, but what "lesser evils"
should encourage me to take action.  I feel some sense of
responsiblity to rat out the guy who made an attempt against something
I don't really have, so that the other guy down the line who does is
safe from him.  I realize that there is only so much one can do, and
even if you do manage to get someone kicked off their ISP, they will
just go get another, but at least I caused them some hassle.

- - -I also find that abuse reports often get ignored by ISP's.  To what
extent should I bug an ISP when one of their clients is doing naughty
things?  Send that first report email and then forget about it? 
Follow up at some point?  Is there a higher power to resort to? 

Version: PGP Personal Privacy 6.0.2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000731/205118ac/attachment.html>

More information about the Snort-users mailing list