Snort mailing list archives
Re: Firing off Abuse email based on Snort Traffic
From: Matt Howell <mhowell () cybarworks com>
Date: 29 May 2003 16:03:20 -0700
On Thu, 2003-05-29 at 15:44, Erek Adams wrote:
For the most part I'd have to side with Matt Kettler on this. I've worked in Security and Abuse at a large ISP before... If I got multiple emails that say 'One of your dialup users portscanned X machines on my network', I'd be real tempted to add that email address to the /dev/null procmail filter.
As I mentioned in my previous post, I am looking for something that sends 1 email per ISP per every 48 - 72 Hour period. Having worked in my clients' own IT department, I know the frustration of being spammed with support requests.
To be quite honest, don't send email. It's almost a waste of time in many cases. Your best result is to actually pick up the phone and call. Direct interaction with someone is an excellent way to get something done. The person on the phone might actually hear the urgency in your voice, where 'reading the urgency' from an email just might not happen.
I totally agree. Unfortunately, a considerable amount of our scans are coming from the Asia Pacific area. APNIC often only returns an email address for abuse and no phone number. The client that I am involved with currently, is in the Medical field and has ramped up recent security efforts in response to the recent HIPAA regulations and dramatic network compromises (thus the reason Snort was deployed). How do other administrators handle genuine attacks and Portscans from International sources? -Matt ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- RE: Firing off Abuse email based on Snort Traffic dave (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Erek Adams (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Skip Carter (May 29)
- Re: Firing off Abuse email based on Snort Traffic Budi Rahardjo (May 29)
- Re: Firing off Abuse email based on Snort Traffic Michael H. Warfield (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
- Re: [OT] Firing off Abuse email based on Snort Traffic Matt Howell (May 30)
- Re: [OT] Firing off Abuse email based on Snort Traffic james (May 30)