[Snort-users] Firing off Abuse email based on Snort Traffic
mhowell at ...9084...
Thu May 29 13:46:10 EDT 2003
On Thu, 2003-05-29 at 12:07, Matt Kettler wrote:
> If you were to send me such an email without good evidence that an actual
> attack was occurring, I'd request you immediately cease. If you failed to
> cease, I'd blacklist all email from your domain on the third occurrence,
> and issue a complaint to your upstream provider.
I understand your argument, and I am looking for a solution that will
work within the constraints that you mentioned.
Our portscan thresholds are pretty lax (you have to either scan more
than just a handful of ports or hosts to set it off), and I have several
more specific rules / preprocessors disabled (ie: the chatty Portscan2 /
conversation modules). I recognize your concern for being "spammed"
with abuse, but I am working under the assumption that if such a project
exists, the developers would have taken this into consideration and
included some sort of record keeping functionality to prevent multiple
notifications within a reasonable time frame (2 days?).
More information about the Snort-users