[Snort-users] stupid question

james hackerwacker at ...3784...
Sat Jun 7 22:41:02 EDT 2003


I tend to agree with John, with some modifications.
 
: 1) Get over it. Probes are extremely common, and if you're
: well-protected, view them as so much water off a duck's back and get
: on with your life.

Put you energy into the lost art of host securiy, I would say. Don't 
run Snort if you tend to get you knickers in a twist due to every Snort alert.
: 
: 2) Gnash your teeth, post messages to various abuse@ and/or
: postmaster@ and/or newsgroups and/or whatever, and never get any real
: satisfaction;

i get 3000-10,000 alterts a day, running Snort on a busy ISP network.
I follow up on the very presistant allacks, like the yahoo's who try to use
formmail over and over and over, 24/7, to send spam. Also I follow up
on attacks that seem serious; ie someone is really trying to crack my hosts
and not just pointing a scanner at me. This is less than 1% of all my alerts.
Keep in mind I use Snort to report alot of things that are not, per se, attacks.

I use my Snort alerts as a guide to indicate where I need to improve 
or rethink my network and host security.

: 2.a) Join dshield (http://www.dshield.org/) and sign up for Fight
: Back! and *then* get on with your life...

Our abuse desk loves these kind of reports and we do take action, even
to the point of pulling the plug on a user. So I assume at least a few ISP's do the same &
I submit some of my snort logs to them. I expect little from this and am happy if just one
host is cleaned.
 
: Personally, I'm in group 1)...

Yep. My goal is to not get hacked, so I get the most bang out of what time I have
by minding my hosts and networks and not firing off useless e-mail. 

James Edwards
jamesh at ...3784...
Routing and Security






More information about the Snort-users mailing list