[Snort-users] Incident Reporting--The When and How
lat at ...214...
Mon Jul 31 13:48:27 EDT 2000
I don't scan back. I leave that to other people here that
enjoy doing things like that. I do flag most things, even
if it's a lone finger/telnet/rcp attempt. I don't always
report the lone attempt to the offending site, it depends
on my mood, how many other attempted scans/probes I have
to wade through and how any times I've seen things from the
same site. Some of it is just instinct, I guess. I've
been pleasantly surprised by the replies I have gotten to
some of my "probe" messages -- even though some of the bigger
scan messages have falled into black holes, some of the
lesser ones (even the single telnet attempts) have solicited
thanks and action on the part of the offending site/ISP.
I keep track of who I contact and what their response is,
just for the heck of it. I average somewhat better than
a 50% response rate.
More information about the Snort-users