[Snort-users] You caught them, what next?
mbrei at ...8727...
Wed Apr 2 11:58:20 EST 2003
How would one go about logging the TZ info. I too was wondering about
From: L. Christopher Luther [mailto:CLuther at ...6333...]
Sent: Wednesday, April 02, 2003 2:42 PM
To: 'Tobias Rice'
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] You caught them, what next?
To add to your "I often email the isp's ...' thought, early last week
one of my web servers sustained a 1.5 hour "attack" from some script
kiddie on the Road Runner cable network. I e-mailed RR's abuse/security
folks but was told "Your logs must contain the following information in
order for Road Runner to process them, included within the email...":
Date of Incident
Time of Incident
Time Zone that logs are captured in
Source IP Address or Host Name
Destination IP Address or Host Name
I gave them *everything* in the logs but the TZ information because,
unfortunately, neither Snort nor my web server capture the TZ
information in their logs. I did give them the TZ information in the
e-mail I sent.
And what did I get back? The same message again. This exchange went
bacn-n-forth a couple of time, and each time I received the exact canned
Basically it appears that RR is not willing to do anything to their
paying customers unless *all* the requested is included in the logs. So
I've given up on attempting to get the ISP to do anything, well at least
From: Tobias Rice [mailto:rice at ...7669...]
Sent: Wednesday, April 02, 2003 12:58 PM
Subject: [Snort-users] You caught them, what next?
-----BEGIN PGP SIGNED MESSAGE-----
Good morning to you all!
I hope that this isn't getting too far off topic, but since we all have
this wonderful IDS in place, I'm sure you too are finding lots of people
doing things they shouldn't. Which brings me to my question, what now?
Other than blocking them at the router, what action should be taken? I
often email the isp's technical contact telling them what I found and
for them to put an end to it. But is this useful? I've never gotten an
email back, and I've sent plenty, which leads me to believe that no
action has been taken, it went to the wrong person, or my email (which
are pretty curt, see example) has offended the RP and was discarded.
What are you all doing about your alerts?
To Whom It May Concern:
One of your customers, 220.127.116.11 (host18.fastdial.net), made 69
attempts to fingerprint my network via NMAP on 2003-04-02 03:43:39
Pacific. Please see to it that this stops immediately. Thank you for
Thanks in advance!
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
-----END PGP SIGNATURE-----
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users