On Fri, Apr 04, 2003 at 10:51:27PM -0500, McBurnett, Jim wrote:
I tell ya, what really gets me in a bad mood is when my PIX logs show the same IP address hitting port 80 on 25 different IP's and the time line is 2 seconds start to finish. And then you report it, and it continues after a week every single day. Substitute port 80 here with 1433, 139,135, and on and on.. When a Syslog trap with a NTP sync time base and the entire log is not good enough, I don't know what is.... Yesterday, I got word from a network operator that 50 entries was not sufficient. So I parsed 4 days's worth and sent them over 1200 messages from their block.. have not heard back yet..
How was this traffic causing harm to your network? I'd rather have them dealing with people actively breaking into systems, DoS'ing, etc than terminating some customer who's probably infected with the latest microsoft worm.
Later, J
-- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203