Snort mailing list archives

Re: Firing off Abuse email based on Snort Traffic

From: Frank Knobbe <fknobbe () knobbeits com>
Date: 29 May 2003 16:16:02 -0500

On Thu, 2003-05-29 at 14:07, Matt Kettler wrote:

If you can unconditionally prove it is a legitimate attack, then feel free 
to automate.. but abuse should not be abused by carpet bombing it with 
"hunches" and "I think this may be an attack" from automated systems. The 
"maybe" cases should be hand written.


Not just hunches. Even if it is valid, there needs to be some throttle
(perhaps a limit of one email per offending IP). Otherwise an automated
system would fire off an email every time an attack occurs, even if
legitimate.

Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
  - RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
    - RE: Firing off Abuse email based on Snort Traffic dave (May 29)
  - Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
    - Re: Firing off Abuse email based on Snort Traffic Erek Adams (May 29)
    - Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
    - Re: Firing off Abuse email based on Snort Traffic Skip Carter (May 29)
    - Re: Firing off Abuse email based on Snort Traffic Budi Rahardjo (May 29)
    - Re: Firing off Abuse email based on Snort Traffic Michael H. Warfield (May 29)
  - Re: Firing off Abuse email based on Snort Traffic Frank Knobbe (May 29)
  - Re: [OT] Firing off Abuse email based on Snort Traffic Matt Kettler (May 30)
    - Re: [OT] Firing off Abuse email based on Snort Traffic Matt Howell (May 30)
    - Re: [OT] Firing off Abuse email based on Snort Traffic james (May 30)
- RE: Firing off Abuse email based on Snort Traffic Nicholas Delo (May 29)
- Re: Firing off Abuse email based on Snort Traffic Mark Rowlands (May 29)
- Re: Firing off Abuse email based on Snort Traffic Todd Holloway (May 30)
- <Possible follow-ups>
- RE: Firing off Abuse email based on Snort Traffic bmcdowell (May 29)
  - RE: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- RE: Firing off Abuse email based on Snort Traffic Donofrio, Lewis (May 29)
- Re: Firing off Abuse email based on Snort Traffic scheidell (May 30)