[Snort-users] You caught them, what next?

Tobias Rice rice at ...7669...
Wed Apr 2 10:23:42 EST 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good morning to you all!
I hope that this isn't getting too far off topic, but since we all have this wonderful IDS in place, I'm sure you too are finding lots of people doing things they shouldn't. Which brings me to my question, what now?
Other than blocking them at the router, what action should be taken? I often email the isp's technical contact telling them what I found and for them to put an end to it. But is this useful? I've never gotten an email back, and I've sent plenty, which leads me to believe that no action has been taken, it went to the wrong person, or my email (which are pretty curt, see example) has offended the RP and was discarded. What are you all doing about your alerts?

[example email.]

To Whom It May Concern:
One of your customers, 216.243.8.18 (host18.fastdial.net), made 69 attempts to fingerprint my network via NMAP on 2003-04-02 03:43:39 Pacific. Please see to it that this stops immediately. Thank you for your cooperation.

[/example email...]

Thanks in advance!

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPoskmcNinOuDXR1bEQJxZQCgspaVA+RSZIzeg+hutqOUA/nI1roAn1jS
g0POVPrAspbRMNYDs+rJiVnN
=9C1U
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list