Peter Beckman <beckman@angryox.com> writes: ...snip "use snort" suggestion....
This is what I think we should ALL be doing -- monitoring our own network to make sure we aren't the source, via customers, of the spam or DOS attacks. All outbound email from your own network should be scanned by some sort of best-practice system before delivery to prevent or limit spam from originating on your network. IMO. But let's be realistic -- the reality is that not everyone does, due to financial or resource or management constraints
I believe that in the case of a VPS provider like ec2, monitoring outgoing traffic with an IDS is cheaper than not monitoring it. Abuse reports are expensive to process. You need people with both social and technical skills on your end, people with social and technical skills who are willing to do what amounts to technical support. Often the abuse reports are vague, requiring back-and-fourth. Even if your IDS only catches a small percentage of the abuse-generating complaints (and I bet the IDS can get a large percentage of the complaint-generating abuse- it takes a lot of abuse to generate a complaint) you are saving a lot of money on abuse desk services. Heck, I bet just the ability to search IDS logs after a abuse report would pay for the IDS.