[Snort-users] Firing off Abuse email based on Snort Traffic

Matt Howell mhowell at ...9084...
Thu May 29 16:04:03 EDT 2003

On Thu, 2003-05-29 at 15:44, Erek Adams wrote: 
> For the most part I'd have to side with Matt Kettler on this.  I've worked
> in Security and Abuse at a large ISP before...  If I got multiple emails
> that say 'One of your dialup users portscanned X machines on my network',
> I'd be real tempted to add that email address to the /dev/null procmail
> filter.  

As I mentioned in my previous post, I am looking for something that
sends 1 email per ISP per every 48 - 72 Hour period.  Having worked in
my clients' own IT department, I know the frustration of being spammed
with support requests.
> To be quite honest, don't send email.  It's almost a waste of time in many
> cases.  Your best result is to actually pick up the phone and call.
> Direct interaction with someone is an excellent way to get something done.
> The person on the phone might actually hear the urgency in your voice,
> where 'reading the urgency' from an email just might not happen.

I totally agree.  Unfortunately, a considerable amount of our scans are
coming from the Asia Pacific area.  APNIC often only returns an email
address for abuse and no phone number.  The client that I am involved
with currently, is in the Medical field and has ramped up recent
security efforts in response to the recent HIPAA regulations and
dramatic network compromises (thus the reason Snort was deployed).

How do other administrators handle genuine attacks and Portscans from
International sources?


More information about the Snort-users mailing list