[Snort-users] Firing off Abuse email based on Snort Traffic
erek at ...950...
Thu May 29 15:45:08 EDT 2003
On Thu, 29 May 2003, Matt Howell wrote:
> I understand your argument, and I am looking for a solution that will
> work within the constraints that you mentioned.
For the most part I'd have to side with Matt Kettler on this. I've worked
in Security and Abuse at a large ISP before... If I got multiple emails
that say 'One of your dialup users portscanned X machines on my network',
I'd be real tempted to add that email address to the /dev/null procmail
filter. For the most part Dialup, Cable and DSL providers don't care
about a portscan. You can't really show any damage or intent, you can
only show connections. You can't really say that the scanner had any
malicious intent--I mean it could have been a network discovery program
with bad user input.
I'm not arguing that you ignore portscans. Far from it! I expect you
monitor, log and data mine them just like you do everything else. Only
after there is a noticeable trend or grouping should you act. I'm also
not saying that portscanning is OK. I'm just saying that portscans aren't
critical. On the other hand, a portscan followed by a targeted exploit
would be a reason to take action, whether or not the exploit was sucessful
has not bearing on the situation.
To be quite honest, don't send email. It's almost a waste of time in many
cases. Your best result is to actually pick up the phone and call.
Direct interaction with someone is an excellent way to get something done.
The person on the phone might actually hear the urgency in your voice,
where 'reading the urgency' from an email just might not happen.
Automation can be a lifesaver, but you should never automate things that
_really_ need human decsion making. And that like all the rest of the
email was my opinion. Treat it like 'free advice'--It costs you nothing
and is worth nothing. ;-)
Hope that helps! Cheers!
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users