[Snort-users] OT: how to respond to alerts

Matt W. kmx at ...1644...
Fri Mar 30 12:30:21 EST 2001


You might wan to check the Incidents List on securityfocus, they have
templates for Cease and Desist emails.  Depending on the ISP/Internet
provider the responses are mixed from C&D letters, sometimes they fix the
problem sometimes they tell you to deal with. Everyonce in awhile I'll get a
"F U buddy i'll scan you if i feel like it".  After you try diplomacy with
the C&D and they don't respond the way you want then i just add them to my
data mining software so i can flag them in the snort db stuff i run.  If they
continue to harass my networks i block them at the upstream.

Hope that helps.

-matt
www.farm9.com
Managed Security Services.

Anders Toll wrote:

> This isn't really have to do with Snort but is relevant anyway:
>
> How do You respond the alerts? Send email complaining to ripe-addresses?
> Block the users out on gateway/firewall-level?
>
> This morning I found an ip-address have been bad with one of our web
> servers:
>
> 71 different signatures are present for x.x.x.x as a source
>
> 1 instances of WEB-FRONTPAGE orders.txt access
> 1 instances of WEB-MISC /cgi-bin/jj attempt
> 1 instances of WEB-FRONTPAGE author.exe access
> 1 instances of WEB-MISC piranha passwd.php3 access
> 1 instances of WEB-FRONTPAGE form_results access
> [...]
>
> Typically a scriptkiddie trying to find a hole.
>
> What should be a proper way to deal with this? Should I send an email
> complaining together with firewall-logs and snort-logs?
>
> Does it really matter to complain?
>
> Best regards
>
> Anders T
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list