[Snort-users] Firing off Abuse email based on Snort Traffic

Donofrio, Lewis donofrio at ...1052...
Thu May 29 16:11:07 EDT 2003


I used to send out emails like this...

***SNIPPED***
Administrative Contact: abuse at ...1820...;abuse at ...1822...

On 8:26:01 PM,Wednesday, October 16, 2002, there were several
unauthorized attempts to access servers here at the University of
Michigan, USA. The attempts appear to have originated from
217.81.235.234, a host in your domain. I'm sending you the portion of
our log files that alerted us to this breakin attempt. The times
indicated are Eastern Daylight Time.

 Since this activity amounts to trying to gain illegal access to a
government machine across state lines, I appreciate your assistance in
preventing future intrusion attempts from this machine. Thanks.

http://advice.networkice.com/advice/Intrusions/2003013/?port=1433&reason
=RSTsent
********SNIPPED FROM ATTACKLIST.CVS********
Severity		1
Timestamp (GMT) 	2002-10-16 20:26:11
IssueId		2003013
IssueName		SQL port probe
IntruderIp		217.81.235.234
IntruderName	pd951ebea.dip.t-dialin.net
VictimIp		141.211.32.70
VictimName		
Attack Parameters	port=1433&reason=RSTsent
Attack Count	4
Intruder Port	4417
Victim Port		1433
********SNIPPED FROM ATTACKLIST.CVS********

***SNIPPED***

Did the who is lookup and had to exclude a lot of ports, emailed myself
from this automatic script, then only got 10% returned emails saying
'thanks.'

--after awhile of doing this the isp responces died down, almost like
it's a "don't ask don't tell" world on the internet I or II.
______________________________________________________________________ 
Lewis	Donofrio at ...1052...	College of Literature, Science, & Arts 
1007 East Huron, Room 201,	BetaID:243340	Cell: (734) 323-8776
Ann Arbor,MI 48104-1690	www.umich.edu/~donofrio	 Fax: (734) 647-8333 


> -----Original Message-----
> From: bmcdowell at ...7861... 
> [mailto:bmcdowell at ...7861...] 
> Sent: Thursday, May 29, 2003 5:44 PM
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Firing off Abuse email based on 
> Snort Traffic
> 
> 
> 
> I personally am not aware of anything like this, mostly 
> because it is generally frowned upon.  Like the others have 
> said, this may not be very well received by the ISP in 
> question.  That is beside the fact that the ISP may or may 
> not even read your automated e-mail, let alone do anything 
> what-so-ever about it.  Another facet to it is that 
> port-scanning may or may not be malicious, and AFAIK is not 
> illegal (at least in and of itself - but IANAL).  Individual 
> ISP's may or may not have a policy against port-scanning.  I 
> don't mean to start up a debate here, but I would imagine 
> that your time might be better spent elsewhere.  For example, 
> maybe you should move your sensor inside your DMZ and scan 
> the traffic that actually gets past your defenses.  Or, you 
> may want to consider a Honeypot/net/etc to actually observe 
> the enemy in the wild.
> 
> Also, Matt Kettler raised a good point.  Time can be on very 
> short supply.  Many (or at least some) of us use snort 
> primarily because our corporation won't shell out the big 
> bucks for something commercial.  And if that is the case, you 
> can bet that those same corp's aren't shelling out the cash 
> for extra admin staff either - which leaves one shorthanded.
> 
> Just my $.02...
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of 
> Matt Howell
> Sent: Thursday, May 29, 2003 3:46 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Firing off Abuse email based on 
> Snort Traffic
> 
> 
> On Thu, 2003-05-29 at 12:07, Matt Kettler wrote:
> > If you were to send me such an email without good evidence that an 
> > actual
> > attack was occurring, I'd request you immediately cease. If 
> you failed to 
> > cease, I'd blacklist all email from your domain on the 
> third occurrence, 
> > and issue a complaint to your upstream provider.
> 
> I understand your argument, and I am looking for a solution 
> that will work within the constraints that you mentioned.
> 
> Our portscan thresholds are pretty lax (you have to either 
> scan more than just a handful of ports or hosts to set it 
> off), and I have several more specific rules / preprocessors 
> disabled (ie: the chatty Portscan2 / conversation modules).  
> I recognize your concern for being "spammed" with abuse, but 
> I am working under the assumption that if such a project 
> exists, the developers would have taken this into 
> consideration and included some sort of record keeping 
> functionality to prevent multiple notifications within a 
> reasonable time frame (2 days?).
> 
> From our internal policy, if Snort reports that a host (or 
> series of hosts on the same subnet) have scanned 150 hosts on 
> our network, then this would definitely warrant an abuse 
> email.  Right now, each one of these is created by hand, 
> based on a cookie cutter form anyway.  When you consider that 
> we receive portscans at all hours of the day, and an 
> administrator is not necessarily available to fire off an 
> email right at night, it would be nice to provide an ISP with 
> a timely notification so that they can address the issue 
> while the host is still active (in theory).
> 
> Are you aware of a project like this?
> 
> -Matt
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: eBay
> Get office equipment for less on eBay! 
> http://adfarm.mediaplex.com/ad/ck/71> 1-11697-6916-5
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/> listinfo/snort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Confidentiality Notice: This e-mail message (including any 
> attachments) may contain confidential and privileged 
> information, and is for the sole use of the intended 
> recipient(s). Any unauthorized review, use, disclosure or 
> distribution is strictly prohibited. If you are not the 
> intended recipient, please notify the sender by replying to 
> this e-mail message, permanently deleting the original 
> message and destroying any hard copies of the original 
> message that may have been created.
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: eBay
> Get office equipment for less on eBay! 
> http://adfarm.mediaplex.com/ad/ck/71> 1-11697-6916-5
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/> listinfo/snort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 




More information about the Snort-users mailing list