[Snort-users] Firing off Abuse email based on Snort Traffic

bmcdowell at ...7861... bmcdowell at ...7861...
Thu May 29 14:43:05 EDT 2003


I personally am not aware of anything like this, mostly because it is generally frowned upon.  Like the others have said, this may not be very well received by the ISP in question.  That is beside the fact that the ISP may or may not even read your automated e-mail, let alone do anything what-so-ever about it.  Another facet to it is that port-scanning may or may not be malicious, and AFAIK is not illegal (at least in and of itself - but IANAL).  Individual ISP's may or may not have a policy against port-scanning.  I don't mean to start up a debate here, but I would imagine that your time might be better spent elsewhere.  For example, maybe you should move your sensor inside your DMZ and scan the traffic that actually gets past your defenses.  Or, you may want to consider a Honeypot/net/etc to actually observe the enemy in the wild.

Also, Matt Kettler raised a good point.  Time can be on very short supply.  Many (or at least some) of us use snort primarily because our corporation won't shell out the big bucks for something commercial.  And if that is the case, you can bet that those same corp's aren't shelling out the cash for extra admin staff either - which leaves one shorthanded.

Just my $.02...

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Matt Howell
Sent: Thursday, May 29, 2003 3:46 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Firing off Abuse email based on Snort Traffic


On Thu, 2003-05-29 at 12:07, Matt Kettler wrote:
> If you were to send me such an email without good evidence that an actual 
> attack was occurring, I'd request you immediately cease. If you failed to 
> cease, I'd blacklist all email from your domain on the third occurrence, 
> and issue a complaint to your upstream provider.

I understand your argument, and I am looking for a solution that will
work within the constraints that you mentioned.

Our portscan thresholds are pretty lax (you have to either scan more
than just a handful of ports or hosts to set it off), and I have several
more specific rules / preprocessors disabled (ie: the chatty Portscan2 /
conversation modules).  I recognize your concern for being "spammed"
with abuse, but I am working under the assumption that if such a project
exists, the developers would have taken this into consideration and
included some sort of record keeping functionality to prevent multiple
notifications within a reasonable time frame (2 days?).



More information about the Snort-users mailing list