[Snort-users] Am I the only one pulling my slowly-turning-gray hair out! (OT)

Mark Rowlands mark.rowlands at ...752...
Fri Nov 10 02:04:15 EST 2000


On Wednesday 08 November 2000 19:20, Keith Pachulski wrote:
snip  On average we
> receive 40-50 a day, most reports originate from BlackIce which I`ve
> grown to hate (No offense intended to the Network Ice employees on
> this list).

Had to throw in my 2$ here, If there are any NI folks in here, they could 
probably earn the undying gratitude of ISP's by adding a packet decoder 
and forcing the collection of "alertable" packets. I mean it can collect 
the packets but most domestice users just dont understand what it is doing.

perhaps, (and may the Lord strike me dead for this) A Microsoft style "Report 
your incident" Wizard  might at least improve the quality of submission...and 
give you a standard mail header so you could automate their handling.

snip
>
> As for the ISP I work for, we invesigate all reports sent in. We
> normally email the reporter in a day or two saying we are looking
> into it. If its garbage we email the reporter explaining to them why
> we discarded the report. If it is something real, we email the
> reporter letting them know the incident is under investigation. A
> normal "investigation" takes a few days. After we have come to some
> solid conclusion we normally email the reporter with what we found.

I did a little study of this.... over a month and 10 ISPs and around 90 
assorted scans (only two actually worth looking at) 50% of ISPs responded,
one, UUNET actually informed me that the accounts involved had been 
terminated. The others essentially said "ok thanks for the info..."

I do think it begs a question though, although much of the activity we see on 
a daily basis is automated idiocy, it does increase the noise level and make 
it harder to keep an eye on the more serious attempts. A more aggressive 
pursuit by us of ISPs and ISPs on errant script kiddies might be worth it for 
this reason alone.




More information about the Snort-users mailing list