OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bob Staaf (rstaafcfl.rr.com)
Date: Fri Jun 15 2001 - 15:05:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Paul,

         I started out in the beginning whining to every ISP I could track down.
    You would have to hire a person full time do that if that is what you wanted
    to do. I typically whine if they scan more than a 3 or 4 ports on any one
    server at once. I also whine if they do certain types of scans that a
    typical script kiddie wouldn't be running. You might also want to complain
    if you see the same IP hitting your server day after day after day even if
    they only do one scan once a day, they may be trying to be inconspicuous,
    hoping you will miss them. Just some of the things to think about. You
    might want to look at something to help manage the logs like Acid or some
    other product, it will make the job much easier to spot trends.
         You know your management better than anyone but, the BEST security
    measure you can take is knowing what is going on with your network and
    keeping a close eye on the logs is one of the best ways to do that.

    Hope this helps

    Bob Staaf
    Southern Web Services
    Orlando, Fl

    ----- Original Message -----
    From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahanpriceline.com>
    To: <Snort-userslists.sourceforge.net>
    Sent: Friday, June 15, 2001 3:12 PM
    Subject: [Snort-users] I'm being attacked, now what?

    > I wanted to get some feedback from others out there on how they handle
    > attacks, whether successful or unsuccessful. I see what appears to be
    valid
    > attacks in small numbers from random machines. Occasionally, I see tons of
    > different attacks coming from ONE machine. Though all attacks are
    > unsuccessful, when does someone scream to the ISP to tell them to stop
    their
    > client, and when does one just ignore it?
    >
    > It would obviously be VERY time consuming (and a waste of time) to send
    > complaints to every ISP. What do people recommend out there....maybe only
    > send a complaint when attacks from one node become ridiculously large, or
    if
    > they successfully break in?
    >
    > The logs are nice to have, but I know management will ask what are we
    doing
    > about the attacks we are seeing and what is the time you are spending
    > maintaining the IDS server doing for the company?
    >
    > Thanks
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > http://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users