[Snort-users] Firing off Abuse email based on Snort Traffic

Chris chris at ...9206...
Thu May 29 13:48:05 EDT 2003

Adding on to what Matt was telling Matt... 

Certainly, the message is a little bit rambling; none is meant as a
flame of any sort. 

Have every single alert go to your pager first. Once you're okay with
that, have every person in your department call each other (like playing
operator) when a page is received. If that does not drive them crazy,
and it's that occasional, then you might be at a much better point than
the rest of us are. :)

Snort's a great tool, but it is not an analyst. I'll fling alerts around
in e-mail with some well-meaning notes (we've been picking up a lot of
scans from this IP over the past two weeks trying to scan for places to
spam off of, or please assure this user that even though this is only
the 5th week he has scanned our network, we still do not use the snmp
public community, etc). Most of the time, I don't put much explanation
in them.

Automation of this sort of thing is tough, especially if your
requirement is to have no analysis performed before hand. 

You also won't get anything NEAR the same results by using automated
methods as you do using a human. A human can notice patterns, do
searches, remember that really odd looking tcp setting from a domain
yesterday that you're seeing again, etc... any automated system out
there currently is still a bit immature...

There is also the personal perspective. If I see a note from a system
administrator with a terse "One of your customers was doing a portscan
on my box, just an FYI in case you can take a look at it and clue him
in" vs. anything resembling an automated message, my responses is
drastically different. So by that last train of thought - the extra
investment in time and manpower may be worth the actual result achieved.
Especially on a macro view. ;)



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Matt
Sent: Thursday, May 29, 2003 3:08 PM
To: Matt Howell; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Firing off Abuse email based on Snort Traffic

FWWIW, I'd like to give you some perspective.

If you were to send me such an email without good evidence that an
attack was occurring, I'd request you immediately cease. If you failed
cease, I'd blacklist all email from your domain on the third occurrence,

and issue a complaint to your upstream provider.

I'd think LONG and HARD about automating an abuse complaint based on
such a 
weak sign as portscan thresholds.  People do not take kindly to being 
bombarded by email from a half-baked and broken "intrusion" sensor. It
noise to an already overloaded system.

If you can unconditionally prove it is a legitimate attack, then feel
to automate.. but abuse should not be abused by carpet bombing it with 
"hunches" and "I think this may be an attack" from automated systems.
"maybe" cases should be hand written.

At 10:44 AM 5/29/2003 -0700, Matt Howell wrote:
>We are starting to really see the benefit of our Snort deployment
>project, and inevitably the project's scope has been expanded.  We
>like to set up a Sensor to automatically send Abuse emails to the ISP
>any hosts that break our Portscan threshold.   Has anyone seen a
>/ product out there that does this already?
>Any input would be appreciated...

This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list