Hosting Provided By

RE: auto-response IDS againt port-scanning or attacked ip?

From: Seymour, Keith E. <KESeymour(at)magellanhealth.com>
Date: Thu Jul 17 2003 - 09:21:48 EDT

I would strongly suggest that you send a daily or weekly wrap-up rather than report on every scan. With the amount of scanning traffic I see you would keep your mail server busy and more likely than not your mail would get deleted by an automated rule. This is for the same reason that you don't generate email alerts for yourself when there is a scan.

Keith

-----Original Message-----
From: bladi [mailto:bladi-sec@novasec.es] Sent: Monday, July 14, 2003 21:00
To: SB CH
Cc: focus-ids@securityfocus.com
Subject: Re: auto-response IDS againt port-scanning or attacked ip?

I dont know if that exist yet for snort but I think you could do it easily using swatch, jwhois and some scripting.

But take care about de number of mails you send to the isp

That shows you how to setup Swatch to email you alerts http://www.theadamsfamily.net/~erek/snort/snort-swatch.conf.txt

bye

Do you need help?

SB CH wrote:

> Hello, all.

NovaSec Servicios de Seguridad

C/ Evaristo San Miguel 4 2^(o)6 (Princesa) 28008 Madrid (Espan~a)

Tel: 91 547 30 51
Fax: 91 559 41 75
http://www.novasec.es

Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT. Go to www.coresecurity.com/promos/sf_eids1 to learn more.

Received on Thu Jul 17 20:15:21 2003

This message: [ Message body ]
Next message: Lance Spitzner: "Honeytokens and Detection"
Previous message: Stephen Samuel: "Re: auto-response IDS againt port-scanning or attacked ip?"
In reply to SB CH: "auto-response IDS againt port-scanning or attacked ip?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:16 EDT