[Snort-users] I'm being attacked, now what?

Paulie paulie at ...2160...
Fri Jun 15 15:38:03 EDT 2001


You could always write a script that scanned the logs for some criteria
and then kicked an email to the technical contact of the organizaion
maintaining the ip address space (via a whois at ...2293..., or apnic, or...).
I had good luck with this back in the SMURF hayday.  Prolly wanna be
careful re: the amount of SPAM you generate tho.

But in the long run it seems like the IDS' purpose is to keep you
informed.  Its been a paranoia inducing addition to my network but I'd
rather be aware of the kinds of probes I'm getting hit with etc than not.
Its not really like a firewall where you can point to it and say "its
blocking packets".  Its more of a info gathering tool.  An alarm rather
than a barrier.

My 2 cents.

Paul

On Fri, 15 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:

> I wanted to get some feedback from others out there on how they handle
> attacks, whether successful or unsuccessful. I see what appears to be valid
> attacks in small numbers from random machines. Occasionally, I see tons of
> different attacks coming from ONE machine. Though all attacks are
> unsuccessful, when does someone scream to the ISP to tell them to stop their
> client, and when does one just ignore it?
>
> It would obviously be VERY time consuming (and a waste of time) to send
> complaints to every ISP. What do people recommend out there....maybe only
> send a complaint when attacks from one node become ridiculously large, or if
> they successfully break in?
>
> The logs are nice to have, but I know management will ask what are we doing
> about the attacks we are seeing and what is the time you are spending
> maintaining the IDS server doing for the company?
>
> Thanks
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list