[Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..

bmcdowell at ...7861... bmcdowell at ...7861...
Wed Dec 31 07:08:01 EST 2003


I keep reading these and thinking 'now here is a good case for multiple sensors'.  Disable the rule on your external sensors, enable it on your internal ones.  That way, you'd also know if xyz-nasty-worm has somehow breached your firewall and is browsing your network.  Right?

Bob

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Chris N
Sent: Wednesday, December 31, 2003 9:40 AM
To: snort-users at lists.sourceforge.net;
snort-users-admin at lists.sourceforge.net
Subject: [Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..



Fellowship of the Snort,

I guess I should have clarified that all the "CyberKit 2.2 Ping" alerts were
ingress only.

Some of you guys suggested just removing the alert. Yes that would stop the
chaos, but I didn't want to blind myself. Although, I do have to admit I was
leaning this way.

With the advise from a few others I decided to keep the rule, but with a
slight modification to alert me on egress only. I am only really concerned
about systems within my network. Yes, keeping track of this traffic from the
outside would be a good idea, but in my environment its not feasible.
Someday, when I'm questioned about the necessity of an IDS, I will switch
this alert and a few others back to saturate, so as to subdue the
misinformed.

Thank you for your time
Chris N.



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Chris N
Sent: Monday, December 29, 2003 10:52 AM
To: snort-users at lists.sourceforge.net;
snort-users-admin at lists.sourceforge.net
Subject: [Snort-users] CyberKit 2.2 Ping, its driven me Nuts..


Fellow Snorters,

Ok, I have had enough of this "CyberKit 2.2 Ping." How are some of you guys
dealing with it? Do you just ignore(pass), log every one, or go and try to
shut the offending hosts down? Although, trying to shutdown all the
offending host could be a daunting task, since there are so dam many.

Chris



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list