[Snort-users] I'm being attacked, now what?

Bob Staaf rstaaf at ...1457...
Fri Jun 15 19:00:10 EDT 2001


     The technical contact should but good and most ISPs have an email
address similar to abuse at ...558... or webmaster at ...558... or visit the ISP
website and check to see how to report network abuse, most have that info on
their site.  I usually attach the corresponding parts of the log with my IP
anonymousified so they can see the details of the attack.


----- Original Message -----
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
To: "'Bob Staaf '" <rstaaf at ...1457...>; "Sheahan, Paul (PCLN-NW)"
<Paul.Sheahan at ...2218...>; <Snort-users at lists.sourceforge.net>
Sent: Friday, June 15, 2001 6:47 PM
Subject: RE: [Snort-users] I'm being attacked, now what?

> I agree with you Bob....I have a LOT of other things I need to be doing
> rather than whining to ISPs all day. Typically, where are complaints sent,
> to the technical contact who owns the address space or "security at ...2295..."
> something similar? Would it be a good idea to include sniffer traces with
> the complaint? What info is best to send over?
> Thanks again!
> -----Original Message-----
> From: Bob Staaf
> To: Sheahan, Paul (PCLN-NW); Snort-users at lists.sourceforge.net
> Sent: 6/15/01 4:05 PM
> Subject: Re: [Snort-users] I'm being attacked, now what?
> Paul,
>      I started out in the beginning whining to every ISP I could track
> down.
> You would have to hire a person full time do that if that is what you
> wanted
> to do.  I typically whine if they scan more than a 3 or 4 ports on any
> one
> server at once.  I also whine if they do certain types of scans that a
> typical script kiddie wouldn't be running.  You might also want to
> complain
> if you see the same IP hitting your server day after day after day even
> if
> they only do one scan once a day, they may be trying to be
> inconspicuous,
> hoping you will miss them.  Just some of the things to think about.  You
> might want to look at something to help manage the logs like Acid or
> some
> other product, it will make the job much easier to spot trends.
>      You know your management better than anyone but, the BEST security
> measure you can take is knowing what is going on with your network and
> keeping a close eye on the logs is one of the best ways to do that.
> Hope this helps
> Bob Staaf
> Southern Web Services
> Orlando, Fl
> ----- Original Message -----
> From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
> To: <Snort-users at lists.sourceforge.net>
> Sent: Friday, June 15, 2001 3:12 PM
> Subject: [Snort-users] I'm being attacked, now what?
> > I wanted to get some feedback from others out there on how they handle
> > attacks, whether successful or unsuccessful. I see what appears to be
> valid
> > attacks in small numbers from random machines. Occasionally, I see
> tons of
> > different attacks coming from ONE machine. Though all attacks are
> > unsuccessful, when does someone scream to the ISP to tell them to stop
> their
> > client, and when does one just ignore it?
> >
> > It would obviously be VERY time consuming (and a waste of time) to
> send
> > complaints to every ISP. What do people recommend out there....maybe
> only
> > send a complaint when attacks from one node become ridiculously large,
> or
> if
> > they successfully break in?
> >
> > The logs are nice to have, but I know management will ask what are we
> doing
> > about the attacks we are seeing and what is the time you are spending
> > maintaining the IDS server doing for the company?
> >
> > Thanks
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >

More information about the Snort-users mailing list