[Snort-users] OT: how to respond to alerts
kmx at ...1644...
Fri Mar 30 12:30:21 EST 2001
You might wan to check the Incidents List on securityfocus, they have
templates for Cease and Desist emails. Depending on the ISP/Internet
provider the responses are mixed from C&D letters, sometimes they fix the
problem sometimes they tell you to deal with. Everyonce in awhile I'll get a
"F U buddy i'll scan you if i feel like it". After you try diplomacy with
the C&D and they don't respond the way you want then i just add them to my
data mining software so i can flag them in the snort db stuff i run. If they
continue to harass my networks i block them at the upstream.
Hope that helps.
Managed Security Services.
Anders Toll wrote:
> This isn't really have to do with Snort but is relevant anyway:
> How do You respond the alerts? Send email complaining to ripe-addresses?
> Block the users out on gateway/firewall-level?
> This morning I found an ip-address have been bad with one of our web
> 71 different signatures are present for x.x.x.x as a source
> 1 instances of WEB-FRONTPAGE orders.txt access
> 1 instances of WEB-MISC /cgi-bin/jj attempt
> 1 instances of WEB-FRONTPAGE author.exe access
> 1 instances of WEB-MISC piranha passwd.php3 access
> 1 instances of WEB-FRONTPAGE form_results access
> Typically a scriptkiddie trying to find a hole.
> What should be a proper way to deal with this? Should I send an email
> complaining together with firewall-logs and snort-logs?
> Does it really matter to complain?
> Best regards
> Anders T
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users