Re: Firing off Abuse email based on Snort Traffic

[Matt Kettler <mkettler () evi-inc com>]

FWWIW, I'd like to give you some perspective.

If you were to send me such an email without good evidence that an actual 
attack was occurring, I'd request you immediately cease. If you failed to 
cease, I'd blacklist all email from your domain on the third occurrence, 
and issue a complaint to your upstream provider.

I'd think LONG and HARD about automating an abuse complaint based on such a 
weak sign as portscan thresholds.  People do not take kindly to being 
bombarded by email from a half-baked and broken "intrusion" sensor. It adds 
noise to an already overloaded system.

If you can unconditionally prove it is a legitimate attack, then feel free 
to automate.. but abuse should not be abused by carpet bombing it with 
"hunches" and "I think this may be an attack" from automated systems. The 
"maybe" cases should be hand written.



At 10:44 AM 5/29/2003 -0700, Matt Howell wrote:
> All...
>
> We are starting to really see the benefit of our Snort deployment
> project, and inevitably the project's scope has been expanded.  We would
> like to set up a Sensor to automatically send Abuse emails to the ISP of
> any hosts that break our Portscan threshold.   Has anyone seen a project
> / product out there that does this already?
>
> Any input would be appreciated...
>
> TIA,
>
> -Matt



-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users