Snort mailing list archives
RE: Firing off Abuse email based on Snort Traffic
From: "dave" <dave () netmedic net>
Date: Thu, 29 May 2003 17:37:18 -0400
Can everyone just have all of their alerts go to my pager? Maybe we can DoS my pager company? _____________________ Dave Kleiman dave () netmedic net www.netmedic.net -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Chris Sent: Thursday, May 29, 2003 16:47 To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Firing off Abuse email based on Snort Traffic Adding on to what Matt was telling Matt... Certainly, the message is a little bit rambling; none is meant as a flame of any sort. Have every single alert go to your pager first. Once you're okay with that, have every person in your department call each other (like playing operator) when a page is received. If that does not drive them crazy, and it's that occasional, then you might be at a much better point than the rest of us are. :) Snort's a great tool, but it is not an analyst. I'll fling alerts around in e-mail with some well-meaning notes (we've been picking up a lot of scans from this IP over the past two weeks trying to scan for places to spam off of, or please assure this user that even though this is only the 5th week he has scanned our network, we still do not use the snmp public community, etc). Most of the time, I don't put much explanation in them. Automation of this sort of thing is tough, especially if your requirement is to have no analysis performed before hand. You also won't get anything NEAR the same results by using automated methods as you do using a human. A human can notice patterns, do searches, remember that really odd looking tcp setting from a domain yesterday that you're seeing again, etc... any automated system out there currently is still a bit immature... There is also the personal perspective. If I see a note from a system administrator with a terse "One of your customers was doing a portscan on my box, just an FYI in case you can take a look at it and clue him in" vs. anything resembling an automated message, my responses is drastically different. So by that last train of thought - the extra investment in time and manpower may be worth the actual result achieved. Especially on a macro view. ;) Cheers, -Chris -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Matt Kettler Sent: Thursday, May 29, 2003 3:08 PM To: Matt Howell; snort-users () lists sourceforge net Subject: Re: [Snort-users] Firing off Abuse email based on Snort Traffic FWWIW, I'd like to give you some perspective. If you were to send me such an email without good evidence that an actual attack was occurring, I'd request you immediately cease. If you failed to cease, I'd blacklist all email from your domain on the third occurrence, and issue a complaint to your upstream provider. I'd think LONG and HARD about automating an abuse complaint based on such a weak sign as portscan thresholds. People do not take kindly to being bombarded by email from a half-baked and broken "intrusion" sensor. It adds noise to an already overloaded system. If you can unconditionally prove it is a legitimate attack, then feel free to automate.. but abuse should not be abused by carpet bombing it with "hunches" and "I think this may be an attack" from automated systems. The "maybe" cases should be hand written. At 10:44 AM 5/29/2003 -0700, Matt Howell wrote:
All... We are starting to really see the benefit of our Snort deployment project, and inevitably the project's scope has been expanded. We
would
like to set up a Sensor to automatically send Abuse emails to the ISP
of
any hosts that break our Portscan threshold. Has anyone seen a
project
/ product out there that does this already? Any input would be appreciated... TIA, -Matt
------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- RE: Firing off Abuse email based on Snort Traffic dave (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Erek Adams (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Skip Carter (May 29)
- Re: Firing off Abuse email based on Snort Traffic Budi Rahardjo (May 29)
- Re: Firing off Abuse email based on Snort Traffic Michael H. Warfield (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
- Re: [OT] Firing off Abuse email based on Snort Traffic Matt Howell (May 30)
- Re: [OT] Firing off Abuse email based on Snort Traffic james (May 30)