[Snort-users] Am I the only one pulling my slowly-turning-gray hair out! (OT)
mark.rowlands at ...752...
Fri Nov 10 02:04:15 EST 2000
On Wednesday 08 November 2000 19:20, Keith Pachulski wrote:
snip On average we
> receive 40-50 a day, most reports originate from BlackIce which I`ve
> grown to hate (No offense intended to the Network Ice employees on
> this list).
Had to throw in my 2$ here, If there are any NI folks in here, they could
probably earn the undying gratitude of ISP's by adding a packet decoder
and forcing the collection of "alertable" packets. I mean it can collect
the packets but most domestice users just dont understand what it is doing.
perhaps, (and may the Lord strike me dead for this) A Microsoft style "Report
your incident" Wizard might at least improve the quality of submission...and
give you a standard mail header so you could automate their handling.
> As for the ISP I work for, we invesigate all reports sent in. We
> normally email the reporter in a day or two saying we are looking
> into it. If its garbage we email the reporter explaining to them why
> we discarded the report. If it is something real, we email the
> reporter letting them know the incident is under investigation. A
> normal "investigation" takes a few days. After we have come to some
> solid conclusion we normally email the reporter with what we found.
I did a little study of this.... over a month and 10 ISPs and around 90
assorted scans (only two actually worth looking at) 50% of ISPs responded,
one, UUNET actually informed me that the accounts involved had been
terminated. The others essentially said "ok thanks for the info..."
I do think it begs a question though, although much of the activity we see on
a daily basis is automated idiocy, it does increase the noise level and make
it harder to keep an eye on the more serious attempts. A more aggressive
pursuit by us of ISPs and ISPs on errant script kiddies might be worth it for
this reason alone.
More information about the Snort-users