[Snort-users] Incident Reporting--The When and How

Christopher Cramer cec at ...68...
Mon Jul 31 13:23:30 EDT 2000

Along those lines, when things piss me off, I generally nmap scan the
offender under the assumption that whatever he's looking for is probably
the type of box he's calling from.  For example, often when we get ftp
scans, it is from a box running a version of ftpd known to be
vulnerable.  The down side of this is that I recently got a call from the
police suggesting that my scan indicated that I was the source of this
guy's hacked box.  The police understood completely and it helped that I
still had the logs from the incident to back up my claim.

The moral?  If you are going to do such scans, make sure that it is
written into policy, along w/ a statement of how long you will keep the
logs prompting the scan.  If you have no policy, you can be screwed for
not having the logs.  If your policy says we keep the logs for 1 month,
then you are only following your policy if they get trashed afterwards.

As for ISPs, I tend to assume they'll ignore my complaints.  If I have
records of multiple complaint letters w/ no action, I might eventually
block all access from them.  But again this is an action I would take only
w/ _major_ documentation.


Dr. Christopher E. Cramer
Associate in Research
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...68...

On Mon, 31 Jul 2000, Steve Halligan wrote:

> Hash: SHA1
> I would be very interested in sampling opinion on Incident Reporting
> policies.  To this point, my personal policy is to review my snort
> logs, decide whether something in there has made me pissed off, and if
> so, send a nasty-gram to the appropriate abuse contact.  I need to
> formalize this.  
> - - -What types of activity should "piss me off"?  A portscan of a
> single
> port on my entire subnet?  An intrusion attempt on a service I don't
> actually have?  Obviously I get grumpy if I see a full blown scan or
> an attempt at something I am actually running, but what "lesser evils"
> should encourage me to take action.  I feel some sense of
> responsiblity to rat out the guy who made an attempt against something
> I don't really have, so that the other guy down the line who does is
> safe from him.  I realize that there is only so much one can do, and
> even if you do manage to get someone kicked off their ISP, they will
> just go get another, but at least I caused them some hassle.
> - - -I also find that abuse reports often get ignored by ISP's.  To what
> extent should I bug an ISP when one of their clients is doing naughty
> things?  Send that first report email and then forget about it? 
> Follow up at some point?  Is there a higher power to resort to? 
> Version: PGP Personal Privacy 6.0.2
> 2GVuJ7NgjewO5tsA6Y4i/PeI
> =XPt3

More information about the Snort-users mailing list