[Snort-users] Am I the only one pulling my slowly-turning-gra y hair out!

Keith Pachulski Keith.Pachulski at ...222...
Wed Nov 8 14:20:16 EST 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Welcome to the world of network security. Working for an ISP I can
sympathize with you. The response each individual ISP will take with
reports varies as most ISP are literally drowned with real breaches
as well as garbage sent to abuse@ daily. For the most part we receive
alot of garbage but taking the time to filter through all of these
reports can kill a day.

What we really need is more end user training, as more and more end
users are using home PC Based Firewalls they are sending in logs of
reported "attacks" when the logs really contain nothing. Nothing
meaning a user got pinged, his/her PC Firewall goes off and the user
thinks he/she is being attacked. Having no idea how to capture the
log in a text file the user takes a screen shot and sends the jpg to
abuse and expects some type of reaction YESTERDAY. On average we
receive 40-50 a day, most reports originate from BlackIce which I`ve
grown to hate (No offense intended to the Network Ice employees on
this list).

I`m not trying to make excuses for other ISP's, just trying to make
those of you who send real reports to ISP and sometimes do not get a
response for a week or two. Just send in the report, give it a few
days then send a friendly "So hows it going with that report I sent
in" email.

For those ISP's that simply ignore all reports and allow rogue users
to use their network, I know there are alot because i`ve dealt with
some of those, then other ISP's or their upstream providers need to
be brought into the picture and get some results (strength in
numbers).

As for the ISP I work for, we invesigate all reports sent in. We
normally email the reporter in a day or two saying we are looking
into it. If its garbage we email the reporter explaining to them why
we discarded the report. If it is something real, we email the
reporter letting them know the incident is under investigation. A
normal "investigation" takes a few days. After we have come to some
solid conclusion we normally email the reporter with what we found.

Just my two cents in the scheme of things,

- -Keith

- -----Original Message-----
From: Robert L. Yelvington [mailto:rly at ...579...]
Sent: Thursday, November 09, 2000 1:55 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Am I the only one pulling my
slowly-turning-gray
hair out!


I am using the latest 'snort' and it works like a champ!  It is
everything that I have heard about and MORE!...and no I am not on
'the payroll'...teehee.

My question is as follows:

Since I have been monitoring and mediating network traffic on my
network(s), I have discovered actual break-in attempts, port scans,
etc.
by so-called 'hackers' or 'crackers'.  No sweat.  Most of them are
just
pimply faced 'script kiddies' using outta-the-box software.  No real
threats.

However, am I the only one who gets the run around when reporting
this
devious activity to ISP's?  .OR. am I doing something wrong?  I know
we
hate even the mention of it, but are there any laws holding ISPs
accountable?  Will someone please advise.  And one last thing (I am
sure
that you folks already know), don't try to report an incident to the
folks at the "@home" network...they'll just transfer you in circles,
then hang up on you once your estimated wait time has been reached
(no
offense to any of you @home techies in the audience...I know you're
out there!).

Thanks for the open ports, ladies & gentlemen.

Respectfully,
Rob
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOgmof+GTq6qVSXTQEQKwsQCg7gf8ndOOuf/EcckYX1DEGyA7gfgAoN7j
GCTrII+1BdgCMPU0/PGETNKI
=LhaD
-----END PGP SIGNATURE-----



More information about the Snort-users mailing list