[Snort-users] Incident Reporting--The When and How

James Hoagland hoagland at ...47...
Mon Jul 31 14:22:24 EDT 2000

>[snip]  I feel some sense of
>responsiblity to rat out the guy who made an attempt against something
>I don't really have, so that the other guy down the line who does is
>safe from him.  I realize that there is only so much one can do, and
>even if you do manage to get someone kicked off their ISP, they will
>just go get another, but at least I caused them some hassle.


Just thought I'd drop a brief note here.  In our experience, the site 
we see a scan or probe come from is often a victim.  Someone remote 
compromised their host and used that to do scanning/probing.  So, we 
typically view any source follow-up that we do as a courtesy rather 
than casting blame.  YMMV.


|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...47...                *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 826-7571  *|

More information about the Snort-users mailing list