[Snort-users] I'm being attacked, now what?
paulie at ...2160...
Fri Jun 15 15:38:03 EDT 2001
You could always write a script that scanned the logs for some criteria
and then kicked an email to the technical contact of the organizaion
maintaining the ip address space (via a whois at ...2293..., or apnic, or...).
I had good luck with this back in the SMURF hayday. Prolly wanna be
careful re: the amount of SPAM you generate tho.
But in the long run it seems like the IDS' purpose is to keep you
informed. Its been a paranoia inducing addition to my network but I'd
rather be aware of the kinds of probes I'm getting hit with etc than not.
Its not really like a firewall where you can point to it and say "its
blocking packets". Its more of a info gathering tool. An alarm rather
than a barrier.
My 2 cents.
On Fri, 15 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
> I wanted to get some feedback from others out there on how they handle
> attacks, whether successful or unsuccessful. I see what appears to be valid
> attacks in small numbers from random machines. Occasionally, I see tons of
> different attacks coming from ONE machine. Though all attacks are
> unsuccessful, when does someone scream to the ISP to tell them to stop their
> client, and when does one just ignore it?
> It would obviously be VERY time consuming (and a waste of time) to send
> complaints to every ISP. What do people recommend out there....maybe only
> send a complaint when attacks from one node become ridiculously large, or if
> they successfully break in?
> The logs are nice to have, but I know management will ask what are we doing
> about the attacks we are seeing and what is the time you are spending
> maintaining the IDS server doing for the company?
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users