So I'm running snort on my Debian Linode (version 1.8.4-beta1 (Build 91)), and I'm seeing plenty of ICMP ping activity in the alert log, but I'm not seeing anything in the portscan log, or any other attack attempts in the syslog. This has been the case for over a week now. When I ran snort on my DSL connection, I was getting scanned or attacked every few minutes. Does anyone know if this malicious activity is being filtered somewhere upstream, or have any other data points to compare and contrast against?

-"Zow"

Well .. besides the port filtering that ThePlanet does, I would suspect that script kiddies know they are more likely to find vulnerable machines from cable and DSL providers, rather than locked-down boxes at datacenters. But, that's not to say that having a r00ted box on a high speed network isn't attractive...

-Chris

If a linode did get rooted, (theoretically, I hope this would never happen!) what would be done? Would it simply be terminated until it's owner came back, rebooted and secured it?

-Ashen

If a linode did get rooted, (theoretically, I hope this would never happen!) what would be done? Would it simply be terminated until it's owner came back, rebooted and secured it?

-Ashen

I've the feeling it's getting filtered downstream.

I'm wondering if you bought an interface for your linode that you dedicate to Snort. I'm about to give Snort a try on my linode but have been wondering about resource issues (I'm NOT going to use ACID or have it report to a MySQL DB) and the best overall deployment of Snort.