[Snort-users] Firing off Abuse email based on Snort Traffic

Matt Kettler mkettler at ...4108...
Thu May 29 12:23:02 EDT 2003


FWWIW, I'd like to give you some perspective.

If you were to send me such an email without good evidence that an actual 
attack was occurring, I'd request you immediately cease. If you failed to 
cease, I'd blacklist all email from your domain on the third occurrence, 
and issue a complaint to your upstream provider.

I'd think LONG and HARD about automating an abuse complaint based on such a 
weak sign as portscan thresholds.  People do not take kindly to being 
bombarded by email from a half-baked and broken "intrusion" sensor. It adds 
noise to an already overloaded system.

If you can unconditionally prove it is a legitimate attack, then feel free 
to automate.. but abuse should not be abused by carpet bombing it with 
"hunches" and "I think this may be an attack" from automated systems. The 
"maybe" cases should be hand written.



At 10:44 AM 5/29/2003 -0700, Matt Howell wrote:
>All...
>
>We are starting to really see the benefit of our Snort deployment
>project, and inevitably the project's scope has been expanded.  We would
>like to set up a Sensor to automatically send Abuse emails to the ISP of
>any hosts that break our Portscan threshold.   Has anyone seen a project
>/ product out there that does this already?
>
>Any input would be appreciated...
>
>TIA,
>
>-Matt





More information about the Snort-users mailing list