[Snort-users] You caught them, what next?
joem at ...692...
Wed Apr 2 11:33:59 EST 2003
At 12:57 PM 4/2/03, Tobias Rice wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Good morning to you all!
>I hope that this isn't getting too far off topic, but since we all have
>this wonderful IDS in place, I'm sure you too are finding lots of people
>doing things they shouldn't. Which brings me to my question, what now?
>Other than blocking them at the router, what action should be taken? I
>often email the isp's technical contact telling them what I found and for
>them to put an end to it. But is this useful? I've never gotten an email
>back, and I've sent plenty, which leads me to believe that no action has
>been taken, it went to the wrong person, or my email (which are pretty
>curt, see example) has offended the RP and was discarded. What are you all
>doing about your alerts?
There's not a whole lot you can do. It's a judgement call if you want to
contact the ISP, who most likely will do nothing, especially if they're
overseas. Some ISPs will send out a warning letter to their customer
telling them not to do it again. If it's a conscientious company they will
probably thank you if you alert them to the fact that one of their hosts
was r00ted. But then again maybe not. From my perspective, it would be a
full time job to send email to everyone who scans my network. IDS sensors
outside your firewall should not be your primary concern. IDS sensors
going off inside your firewall should be given much closer inspection.
My 2 lincolns....
More information about the Snort-users