[Snort-users] Incident Reporting--The When and How
hoagland at ...47...
Mon Jul 31 14:22:24 EDT 2000
>[snip] I feel some sense of
>responsiblity to rat out the guy who made an attempt against something
>I don't really have, so that the other guy down the line who does is
>safe from him. I realize that there is only so much one can do, and
>even if you do manage to get someone kicked off their ISP, they will
>just go get another, but at least I caused them some hassle.
Just thought I'd drop a brief note here. In our experience, the site
we see a scan or probe come from is often a victim. Someone remote
compromised their host and used that to do scanning/probing. So, we
typically view any source follow-up that we do as a courtesy rather
than casting blame. YMMV.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...47... *|
|* Voice: (707) 445-4355 x13 Fax: (707) 826-7571 *|
More information about the Snort-users