Snort mailing list archives
RE: Firing off Abuse email based on Snort Traffic
From: <bmcdowell () coxhealthplans com>
Date: Thu, 29 May 2003 16:43:51 -0500
I personally am not aware of anything like this, mostly because it is generally frowned upon. Like the others have said, this may not be very well received by the ISP in question. That is beside the fact that the ISP may or may not even read your automated e-mail, let alone do anything what-so-ever about it. Another facet to it is that port-scanning may or may not be malicious, and AFAIK is not illegal (at least in and of itself - but IANAL). Individual ISP's may or may not have a policy against port-scanning. I don't mean to start up a debate here, but I would imagine that your time might be better spent elsewhere. For example, maybe you should move your sensor inside your DMZ and scan the traffic that actually gets past your defenses. Or, you may want to consider a Honeypot/net/etc to actually observe the enemy in the wild. Also, Matt Kettler raised a good point. Time can be on very short supply. Many (or at least some) of us use snort primarily because our corporation won't shell out the big bucks for something commercial. And if that is the case, you can bet that those same corp's aren't shelling out the cash for extra admin staff either - which leaves one shorthanded. Just my $.02... -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Matt Howell Sent: Thursday, May 29, 2003 3:46 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Firing off Abuse email based on Snort Traffic On Thu, 2003-05-29 at 12:07, Matt Kettler wrote:
If you were to send me such an email without good evidence that an actual attack was occurring, I'd request you immediately cease. If you failed to cease, I'd blacklist all email from your domain on the third occurrence, and issue a complaint to your upstream provider.
I understand your argument, and I am looking for a solution that will work within the constraints that you mentioned. Our portscan thresholds are pretty lax (you have to either scan more than just a handful of ports or hosts to set it off), and I have several more specific rules / preprocessors disabled (ie: the chatty Portscan2 / conversation modules). I recognize your concern for being "spammed" with abuse, but I am working under the assumption that if such a project exists, the developers would have taken this into consideration and included some sort of record keeping functionality to prevent multiple notifications within a reasonable time frame (2 days?).
From our internal policy, if Snort reports that a host (or series of
hosts on the same subnet) have scanned 150 hosts on our network, then this would definitely warrant an abuse email. Right now, each one of these is created by hand, based on a cookie cutter form anyway. When you consider that we receive portscans at all hours of the day, and an administrator is not necessarily available to fire off an email right at night, it would be nice to provide an ISP with a timely notification so that they can address the issue while the host is still active (in theory). Are you aware of a project like this? -Matt ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Confidentiality Notice: This e-mail message (including any attachments) may contain confidential and privileged information, and is for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender by replying to this e-mail message, permanently deleting the original message and destroying any hard copies of the original message that may have been created. ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Firing off Abuse email based on Snort Traffic, (continued)
- Re: Firing off Abuse email based on Snort Traffic Skip Carter (May 29)
- Re: Firing off Abuse email based on Snort Traffic Budi Rahardjo (May 29)
- Re: Firing off Abuse email based on Snort Traffic Michael H. Warfield (May 29)
- Re: Firing off Abuse email based on Snort Traffic Frank Knobbe (May 29)
- Re: [OT] Firing off Abuse email based on Snort Traffic Matt Kettler (May 30)
- Re: [OT] Firing off Abuse email based on Snort Traffic Matt Howell (May 30)
- Re: [OT] Firing off Abuse email based on Snort Traffic james (May 30)
- RE: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)