Snort mailing list archives
Re: Firing off Abuse email based on Snort Traffic
From: Erek Adams <erek () snort org>
Date: Thu, 29 May 2003 18:44:18 -0400 (EDT)
On Thu, 29 May 2003, Matt Howell wrote:
I understand your argument, and I am looking for a solution that will work within the constraints that you mentioned.
[...snip...] For the most part I'd have to side with Matt Kettler on this. I've worked in Security and Abuse at a large ISP before... If I got multiple emails that say 'One of your dialup users portscanned X machines on my network', I'd be real tempted to add that email address to the /dev/null procmail filter. For the most part Dialup, Cable and DSL providers don't care about a portscan. You can't really show any damage or intent, you can only show connections. You can't really say that the scanner had any malicious intent--I mean it could have been a network discovery program with bad user input. I'm not arguing that you ignore portscans. Far from it! I expect you monitor, log and data mine them just like you do everything else. Only after there is a noticeable trend or grouping should you act. I'm also not saying that portscanning is OK. I'm just saying that portscans aren't critical. On the other hand, a portscan followed by a targeted exploit would be a reason to take action, whether or not the exploit was sucessful has not bearing on the situation. To be quite honest, don't send email. It's almost a waste of time in many cases. Your best result is to actually pick up the phone and call. Direct interaction with someone is an excellent way to get something done. The person on the phone might actually hear the urgency in your voice, where 'reading the urgency' from an email just might not happen. Automation can be a lifesaver, but you should never automate things that _really_ need human decsion making. And that like all the rest of the email was my opinion. Treat it like 'free advice'--It costs you nothing and is worth nothing. ;-) Hope that helps! Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- RE: Firing off Abuse email based on Snort Traffic dave (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Erek Adams (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Howell (May 29)
- Re: Firing off Abuse email based on Snort Traffic Skip Carter (May 29)
- Re: Firing off Abuse email based on Snort Traffic Budi Rahardjo (May 29)
- Re: Firing off Abuse email based on Snort Traffic Michael H. Warfield (May 29)
- RE: Firing off Abuse email based on Snort Traffic Chris (May 29)
- Re: Firing off Abuse email based on Snort Traffic Matt Kettler (May 29)
- Re: [OT] Firing off Abuse email based on Snort Traffic Matt Howell (May 30)
- Re: [OT] Firing off Abuse email based on Snort Traffic james (May 30)