[Snort-users] OT: how to respond to alerts

John_Delisle at ...1523... John_Delisle at ...1523...
Sun Apr 1 14:05:50 EDT 2001


For something that obvious and rude I usually block them at the firewall
first, then send an email to the block admin.  A portscan isn't a big deal,
but multiple one or more targetted ones I block the addr on my firewall.

John Delisle
Corporate Technology
Ceridian Canada Ltd
204-975-5909


                                                                                                                                   
                    "Anders Toll"                                                                                                  
                    <anders_toll at ...125...>            To:     snort-users at lists.sourceforge.net                                 
                    Sent by:                             cc:                                                                       
                    snort-users-admin at ...635...        Subject:     [Snort-users] OT: how to respond to alerts                   
                    eforge.net                                                                                                     
                                                                                                                                   
                                                                                                                                   
                    2001/03/30 07:36 AM                                                                                            
                                                                                                                                   
                                                                                                                                   




This isn't really have to do with Snort but is relevant anyway:

How do You respond the alerts? Send email complaining to ripe-addresses?
Block the users out on gateway/firewall-level?

This morning I found an ip-address have been bad with one of our web
servers:

71 different signatures are present for x.x.x.x as a source

1 instances of WEB-FRONTPAGE orders.txt access
1 instances of WEB-MISC /cgi-bin/jj attempt
1 instances of WEB-FRONTPAGE author.exe access
1 instances of WEB-MISC piranha passwd.php3 access
1 instances of WEB-FRONTPAGE form_results access
[...]

Typically a scriptkiddie trying to find a hole.

What should be a proper way to deal with this? Should I send an email
complaining together with firewall-logs and snort-logs?

Does it really matter to complain?


Best regards

Anders T
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





This e-mail and any files transmitted with it are considered confidential and are intended solely for the use of the individual or entity to whom they are addressed (intended). This communication is subject to agent/client privilege.If you are not the intended recipient (received in error) or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited.If you have received this e-mail in error please notify the sender immediately.




More information about the Snort-users mailing list