Snort mailing list archives
Re: Firing off Abuse email based on Snort Traffic
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 29 May 2003 15:07:50 -0400
FWWIW, I'd like to give you some perspective.If you were to send me such an email without good evidence that an actual attack was occurring, I'd request you immediately cease. If you failed to cease, I'd blacklist all email from your domain on the third occurrence, and issue a complaint to your upstream provider.
I'd think LONG and HARD about automating an abuse complaint based on such a weak sign as portscan thresholds. People do not take kindly to being bombarded by email from a half-baked and broken "intrusion" sensor. It adds noise to an already overloaded system.
If you can unconditionally prove it is a legitimate attack, then feel free to automate.. but abuse should not be abused by carpet bombing it with "hunches" and "I think this may be an attack" from automated systems. The "maybe" cases should be hand written.
At 10:44 AM 5/29/2003 -0700, Matt Howell wrote:
All... We are starting to really see the benefit of our Snort deployment project, and inevitably the project's scope has been expanded. We would like to set up a Sensor to automatically send Abuse emails to the ISP of any hosts that break our Portscan threshold. Has anyone seen a project / product out there that does this already? Any input would be appreciated... TIA, -Matt
------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- RE: Firing off Abuse email based on Snort Traffic dave (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Erek Adams (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Skip Carter (May 29)
- Re: Firing off Abuse email based on Snort Traffic Budi Rahardjo (May 29)
- Re: Firing off Abuse email based on Snort Traffic Michael H. Warfield (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)