[Snort-users] OT: how to respond to alerts

Anders Toll anders_toll at ...125...
Fri Mar 30 08:36:02 EST 2001


This isn't really have to do with Snort but is relevant anyway:

How do You respond the alerts? Send email complaining to ripe-addresses? 
Block the users out on gateway/firewall-level?

This morning I found an ip-address have been bad with one of our web 
servers:

71 different signatures are present for x.x.x.x as a source

1 instances of WEB-FRONTPAGE orders.txt access
1 instances of WEB-MISC /cgi-bin/jj attempt
1 instances of WEB-FRONTPAGE author.exe access
1 instances of WEB-MISC piranha passwd.php3 access
1 instances of WEB-FRONTPAGE form_results access
[...]

Typically a scriptkiddie trying to find a hole.

What should be a proper way to deal with this? Should I send an email 
complaining together with firewall-logs and snort-logs?

Does it really matter to complain?


Best regards

Anders T
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.





More information about the Snort-users mailing list