[Snort-users] Action Recommendations

Jarret Gibson jarret at ...7313...
Sun Oct 27 10:22:02 EST 2002


My network servers, like many others, are being pounded on port 80 with all types of various iis and php exploits.  I've eliminated all of the false alarms and made certain that they systems are updated and secure from the attacks I'm seeing.  What should I do next?

- Suppose the attack came from 20.20.20.1.  I'm assuming I should block the offending IP address at the firewall, but should I block just that one IP, or should I block the entire subnet it is on?  Yeah, I'm aware that dialup users or some office folk can very easily switch to another IP, which is why I wonder if I should ban a whole range or not.  But, obviously, if some AOL user tried something, you wouldn't want to ban all AOL addresses.

- Should I bother with reporting these security problems to the offending person's ISP / office?  I've heard most of you say that people rarely (if ever) do anything about the script kiddies / hackers when you report them.

- What other actions should I take?

Jarret Gibson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021027/e34f037c/attachment.html>


More information about the Snort-users mailing list