[Snort-users] I'm being attacked, now what?

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Fri Jun 15 15:12:54 EDT 2001


I wanted to get some feedback from others out there on how they handle
attacks, whether successful or unsuccessful. I see what appears to be valid
attacks in small numbers from random machines. Occasionally, I see tons of
different attacks coming from ONE machine. Though all attacks are
unsuccessful, when does someone scream to the ISP to tell them to stop their
client, and when does one just ignore it?

It would obviously be VERY time consuming (and a waste of time) to send
complaints to every ISP. What do people recommend out there....maybe only
send a complaint when attacks from one node become ridiculously large, or if
they successfully break in?

The logs are nice to have, but I know management will ask what are we doing
about the attacks we are seeing and what is the time you are spending
maintaining the IDS server doing for the company?

Thanks




More information about the Snort-users mailing list