[Snort-users] Am I the only one pulling my slowly-turning-gray hair out!
lat at ...214...
Thu Nov 9 07:43:25 EST 2000
I guess I'm one of the "lucky" admins, because 20% of my time is officially
for security of any sort. That, and the person here that I used to rely on
to contact abuse at ...769... or the appropriate WHOIS contact is snowed under
with other things security-wise. So, I set up a template and I use e-mail
only. I include the IP and/or name of the offending host, a full complement
of whatever I have logged (not including the actual packet content from snort)
and my timezone/country. I also keep track of the responses I get, these
are posted at the SANS web site once a month at about the middle of the month
(to allow for late responses).
Sometimes I get nothing, sometimes I get just an automated response. Sometimes
I am not the only one to complain and something gets done. Actually I've been
surprised at the amount of responses I have gotten since I started doing this
about April. I've even been (un?)lucky enough to have been contacted by the
FBI because I reported probes/scans about machines involved in one of their
investigations. Sometimes I'm called for more information, sometimes I'm
called for help because they are not as up-to-speed, sometimes I'm called just
to be given a status report.
On days that we've been heavily hit, I may spend an hour or two putting
everything together, but usually it's not even that much time. I've gotten
this procedure almost down to a science. (Now I just need to automate it...
although I type and cut/paste fast enough that it hasn't been an issue as of
If you have some time, I would just create a template where all you need to
do is cut/paste the log entries and use e-mail. Then, unless it's a blatant
attempt to compromise your machine(s), I'd just about my merry way.
More information about the Snort-users