[Snort-users] Firing off Abuse email based on Snort Traffic

Matt Howell mhowell at ...9084...
Thu May 29 13:46:10 EDT 2003


On Thu, 2003-05-29 at 12:07, Matt Kettler wrote:
> If you were to send me such an email without good evidence that an actual 
> attack was occurring, I'd request you immediately cease. If you failed to 
> cease, I'd blacklist all email from your domain on the third occurrence, 
> and issue a complaint to your upstream provider.

I understand your argument, and I am looking for a solution that will
work within the constraints that you mentioned.

Our portscan thresholds are pretty lax (you have to either scan more
than just a handful of ports or hosts to set it off), and I have several
more specific rules / preprocessors disabled (ie: the chatty Portscan2 /
conversation modules).  I recognize your concern for being "spammed"
with abuse, but I am working under the assumption that if such a project
exists, the developers would have taken this into consideration and
included some sort of record keeping functionality to prevent multiple
notifications within a reasonable time frame (2 days?).



More information about the Snort-users mailing list