Snort mailing list archives
Re: Firing off Abuse email based on Snort Traffic
From: Matt Howell <mhowell () cybarworks com>
Date: 29 May 2003 13:46:00 -0700
On Thu, 2003-05-29 at 12:07, Matt Kettler wrote:
If you were to send me such an email without good evidence that an actual attack was occurring, I'd request you immediately cease. If you failed to cease, I'd blacklist all email from your domain on the third occurrence, and issue a complaint to your upstream provider.
I understand your argument, and I am looking for a solution that will work within the constraints that you mentioned. Our portscan thresholds are pretty lax (you have to either scan more than just a handful of ports or hosts to set it off), and I have several more specific rules / preprocessors disabled (ie: the chatty Portscan2 / conversation modules). I recognize your concern for being "spammed" with abuse, but I am working under the assumption that if such a project exists, the developers would have taken this into consideration and included some sort of record keeping functionality to prevent multiple notifications within a reasonable time frame (2 days?).
From our internal policy, if Snort reports that a host (or series of
hosts on the same subnet) have scanned 150 hosts on our network, then this would definitely warrant an abuse email. Right now, each one of these is created by hand, based on a cookie cutter form anyway. When you consider that we receive portscans at all hours of the day, and an administrator is not necessarily available to fire off an email right at night, it would be nice to provide an ISP with a timely notification so that they can address the issue while the host is still active (in theory). Are you aware of a project like this? -Matt ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- RE: Firing off Abuse email based on Snort Traffic dave (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Erek Adams (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Skip Carter (May 29)
- Re: Firing off Abuse email based on Snort Traffic Budi Rahardjo (May 29)
- Re: Firing off Abuse email based on Snort Traffic Michael H. Warfield (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
- Re: [OT] Firing off Abuse email based on Snort Traffic Matt Howell (May 30)
- Re: [OT] Firing off Abuse email based on Snort Traffic james (May 30)