|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The problem with automated notifications to IDS alerts is that they are justified with faulty reasoning. 1. I get too many security alerts, and notifying the responsibile parties takes too much of my time. 2. Most notifications are the same thing, only the addresses and timestamps are different. 3. I'll automate the notifications to save me time. .... few days later .... 4. Damn! My inbox is overflowing with people responding to my automated notifications! It's taking too much time to answer them all. He should have stopped at #1, first phrase: "I get too many security alerts." Well dude, configure your IDS properly. Not every spark grows to be a four alarm fire. > -----Original Message----- > From: [email protected] [mailto:[email protected]]On Behalf Of > Greg Poirier > Sent: Friday, October 26, 2001 1:23 PM > To: [email protected] > Subject: Re: EXAMPLE: ### xxx Canada detected a penetration attempt from > 209.123.x.229. Incident# xxxx > > > > On Fri, Oct 26, 2001 at 12:57:55PM -0700, Adam McKenna wrote: > > > > I think that Alex's point is that if you want to *really* have a secure > > network, you can't do it by sending out automated mails every > time a stray > > packet hits your network. That's likely to cause way more > annoyance than any > > good it could possibly do. > > > > A much more effective way of proceeding would be to have a > person looking at > > each and every incident, deciding whether it merits a notice to > the offending > > network, and then sending a personal, non-threatening mail. > > > > --Adam > > -- > > Adam McKenna <[email protected]> | GPG: 17A4 11F7 5E7E C2E7 08AA > > http://flounder.net/publickey.html | 38B0 05D0 8BF7 2C6D 110A > > Now I think that might be a bit much.. but you are right.. Sending out > e-mails like this is rather annoying. Instead of reporting every little > http request, maybe filter it so that only very suspicious ports are > reported? > > Not that they're here to hear advice, but it's the thought that counts. > > -- > Greg Poirier System Administrator > EarthLink, Inc. Multi-Function Engineering > (404) 748-7106 Atlanta, GA -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO9ni6UksS4VV8BvHEQIEawCg+TGSi+Ac9fcv+eMaZqZ6gXwVTnYAoOQ4 jBrfZfvhl/RL5y/ouueNmW8p =tIyz -----END PGP SIGNATURE-----
|