On Fri, 26 Oct 2001, Mike Batchelor wrote: :The problem with automated notifications to IDS alerts is that they are :justified with faulty reasoning. : :He should have stopped at #1, first phrase: "I get too many security :alerts." Well dude, configure your IDS properly. Not every spark grows to :be a four alarm fire. My advice regarding IDS's is that it is ridiculous to have an IDS do anything other than alert the human responsible for that sensor, as it is either ineffectual or dangerous to have any other automated system reliably act upon the information IDS's provide, in their current form. This includes strikeback, attacker notification, or any contingencies. As an IDS collects security information, it should not have access to perform any action other than to store, and take steps to preserve the integrity of that information. In any reasonable security policy where separation of duties is enforced, a sensor shouldn't be trusted to interprate the information it collects beyond the initial alert. I think it's irresponsible of some of the home firewall vendors to incorporate this into their products, as I can just imagine a ddos mail attack, where you spoof couple of packets from the network you want to damage, and thousands of idiot scripts send mail to the arin contact information. This may sound irate, but seriously, I think handing users these tools with no explanation is half-assed. Though if they used a common XML alert format and could be sent to a single site for processing (a la aris.securityfocus), that might be a little more sensible. It doesn't make sense to equip users with an automated incident reporting tool with nobody to report to. My 1.26904 cents after exchange. -- batz Reluctant Ninja Defective Technologies