[Snort-users] You caught them, what next?

Joe Matusiewicz joem at ...692...
Wed Apr 2 11:33:59 EST 2003


At 12:57 PM 4/2/03, Tobias Rice wrote:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Good morning to you all!
>I hope that this isn't getting too far off topic, but since we all have 
>this wonderful IDS in place, I'm sure you too are finding lots of people 
>doing things they shouldn't. Which brings me to my question, what now?
>Other than blocking them at the router, what action should be taken? I 
>often email the isp's technical contact telling them what I found and for 
>them to put an end to it. But is this useful? I've never gotten an email 
>back, and I've sent plenty, which leads me to believe that no action has 
>been taken, it went to the wrong person, or my email (which are pretty 
>curt, see example) has offended the RP and was discarded. What are you all 
>doing about your alerts?

There's not a whole lot you can do.  It's a judgement call if you want to 
contact the ISP, who most likely will do nothing, especially if they're 
overseas.  Some ISPs will send out a warning letter to their customer 
telling them not to do it again.  If it's a conscientious company they will 
probably thank you if you alert them to the fact that one of their hosts 
was r00ted.  But then again maybe not.  From my perspective, it would be a 
full time job to send email to everyone who scans my network.  IDS sensors 
outside your firewall should not be your primary concern.  IDS sensors 
going off inside your firewall should be given much closer inspection.

My 2 lincolns....

-- Joe





More information about the Snort-users mailing list