Snort mailing list archives
RE: Firing off Abuse email based on Snort Traffic
From: "Donofrio, Lewis" <donofrio () umich edu>
Date: Thu, 29 May 2003 19:09:58 -0400
I used to send out emails like this... ***SNIPPED*** Administrative Contact: abuse () t-online de;abuse () t-dialin net On 8:26:01 PM,Wednesday, October 16, 2002, there were several unauthorized attempts to access servers here at the University of Michigan, USA. The attempts appear to have originated from 217.81.235.234, a host in your domain. I'm sending you the portion of our log files that alerted us to this breakin attempt. The times indicated are Eastern Daylight Time. Since this activity amounts to trying to gain illegal access to a government machine across state lines, I appreciate your assistance in preventing future intrusion attempts from this machine. Thanks. http://advice.networkice.com/advice/Intrusions/2003013/?port=1433&reason =RSTsent ********SNIPPED FROM ATTACKLIST.CVS******** Severity 1 Timestamp (GMT) 2002-10-16 20:26:11 IssueId 2003013 IssueName SQL port probe IntruderIp 217.81.235.234 IntruderName pd951ebea.dip.t-dialin.net VictimIp 141.211.32.70 VictimName Attack Parameters port=1433&reason=RSTsent Attack Count 4 Intruder Port 4417 Victim Port 1433 ********SNIPPED FROM ATTACKLIST.CVS******** ***SNIPPED*** Did the who is lookup and had to exclude a lot of ports, emailed myself from this automatic script, then only got 10% returned emails saying 'thanks.' --after awhile of doing this the isp responces died down, almost like it's a "don't ask don't tell" world on the internet I or II. ______________________________________________________________________ Lewis Donofrio () umich edu College of Literature, Science, & Arts 1007 East Huron, Room 201, BetaID:243340 Cell: (734) 323-8776 Ann Arbor,MI 48104-1690 www.umich.edu/~donofrio Fax: (734) 647-8333
-----Original Message----- From: bmcdowell () coxhealthplans com [mailto:bmcdowell () coxhealthplans com] Sent: Thursday, May 29, 2003 5:44 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Firing off Abuse email based on Snort Traffic I personally am not aware of anything like this, mostly because it is generally frowned upon. Like the others have said, this may not be very well received by the ISP in question. That is beside the fact that the ISP may or may not even read your automated e-mail, let alone do anything what-so-ever about it. Another facet to it is that port-scanning may or may not be malicious, and AFAIK is not illegal (at least in and of itself - but IANAL). Individual ISP's may or may not have a policy against port-scanning. I don't mean to start up a debate here, but I would imagine that your time might be better spent elsewhere. For example, maybe you should move your sensor inside your DMZ and scan the traffic that actually gets past your defenses. Or, you may want to consider a Honeypot/net/etc to actually observe the enemy in the wild. Also, Matt Kettler raised a good point. Time can be on very short supply. Many (or at least some) of us use snort primarily because our corporation won't shell out the big bucks for something commercial. And if that is the case, you can bet that those same corp's aren't shelling out the cash for extra admin staff either - which leaves one shorthanded. Just my $.02... -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Matt Howell Sent: Thursday, May 29, 2003 3:46 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Firing off Abuse email based on Snort Traffic On Thu, 2003-05-29 at 12:07, Matt Kettler wrote:If you were to send me such an email without good evidence that an actual attack was occurring, I'd request you immediately cease. Ifyou failed tocease, I'd blacklist all email from your domain on thethird occurrence,and issue a complaint to your upstream provider.I understand your argument, and I am looking for a solution that will work within the constraints that you mentioned. Our portscan thresholds are pretty lax (you have to either scan more than just a handful of ports or hosts to set it off), and I have several more specific rules / preprocessors disabled (ie: the chatty Portscan2 / conversation modules). I recognize your concern for being "spammed" with abuse, but I am working under the assumption that if such a project exists, the developers would have taken this into consideration and included some sort of record keeping functionality to prevent multiple notifications within a reasonable time frame (2 days?). From our internal policy, if Snort reports that a host (or series of hosts on the same subnet) have scanned 150 hosts on our network, then this would definitely warrant an abuse email. Right now, each one of these is created by hand, based on a cookie cutter form anyway. When you consider that we receive portscans at all hours of the day, and an administrator is not necessarily available to fire off an email right at night, it would be nice to provide an ISP with a timely notification so that they can address the issue while the host is still active (in theory). Are you aware of a project like this? -Matt ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/71> 1-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/> listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Confidentiality Notice: This e-mail message (including any attachments) may contain confidential and privileged information, and is for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender by replying to this e-mail message, permanently deleting the original message and destroying any hard copies of the original message that may have been created. ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/71> 1-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/> listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Firing off Abuse email based on Snort Traffic, (continued)
- Re: Firing off Abuse email based on Snort Traffic Michael H. Warfield (May 29)
- Re: Firing off Abuse email based on Snort Traffic Frank Knobbe (May 29)
- Re: [OT] Firing off Abuse email based on Snort Traffic Matt Kettler (May 30)
- Re: [OT] Firing off Abuse email based on Snort Traffic Matt Howell (May 30)
- Re: [OT] Firing off Abuse email based on Snort Traffic james (May 30)
- RE: Firing off Abuse email based on Snort Traffic Nicholas Delo (May 29)
- Re: Firing off Abuse email based on Snort Traffic Mark Rowlands (May 29)
- Re: Firing off Abuse email based on Snort Traffic Todd Holloway (May 30)
- RE: Firing off Abuse email based on Snort Traffic bmcdowell (May 29)
- RE: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- RE: Firing off Abuse email based on Snort Traffic Donofrio, Lewis (May 29)
- Re: Firing off Abuse email based on Snort Traffic scheidell (May 30)