[Snort-users] Am I the only one pulling my slowly-turning-gray hair out!

Laurie Zirkle lat at ...214...
Thu Nov 9 07:43:25 EST 2000


I guess I'm one of the "lucky" admins, because 20% of my time is officially
for security of any sort.  That, and the person here that I used to rely on
to contact abuse at ...769... or the appropriate WHOIS contact is snowed under
with other things security-wise.  So, I set up a template and I use e-mail
only.  I include the IP and/or name of the offending host, a full complement
of whatever I have logged (not including the actual packet content from snort)
and my timezone/country.  I also keep track of the responses I get, these
are posted at the SANS web site once a month at about the middle of the month
(to allow for late responses).

Sometimes I get nothing, sometimes I get just an automated response.  Sometimes
I am not the only one to complain and something gets done.  Actually I've been
surprised at the amount of responses I have gotten since I started doing this
about April.  I've even been (un?)lucky enough to have been contacted by the
FBI because I reported probes/scans about machines involved in one of their
investigations.  Sometimes I'm called for more information, sometimes I'm 
called for help because they are not as up-to-speed, sometimes I'm called just
to be given a status report.

On days that we've been heavily hit, I may spend an hour or two putting
everything together, but usually it's not even that much time.  I've gotten
this procedure almost down to a science.  (Now I just need to automate it...
although I type and cut/paste fast enough that it hasn't been an issue as of
yet.)

If you have some time, I would just create a template where all you need to
do is cut/paste the log entries and use e-mail.  Then, unless it's a blatant
attempt to compromise your machine(s), I'd just about my merry way.

--
Laurie



More information about the Snort-users mailing list