Security Basics mailing list archives
Re: Incident Response
From: "Byrne Ghavalas" <security () nscs uk com>
Date: Tue, 10 Dec 2002 18:40:45 -0000
Hi, I wouldn't recommend writing a script to 'automatically scan them back', for several reasons. The most obvious reason is that some scans are simply spoofed. If a script 'automatically scanned them back', it would be quite easy to get the script to scan innocent sites. Naturally there are several other moral and legal reasons for not writing such a script, but I believe they are off topic for this thread. With regards to the original question - I agree that there is no need to take further action. Provided the firewall logs are showing that the packets are dropped and the application server logs also appear normal, nothing further needs to be done. Reporting of incidents can take quite a lot of effort. If one believes that an incident is serious enough or warrants reporting, by all means do so. Kind regards, Byrne Ghavalas ----- Original Message ----- From: "Chris Berry" <compjma () hotmail com> To: <security-basics () securityfocus com> Sent: Monday, December 09, 2002 9:25 PM Subject: Re: Incident Response
From: H C <keydet89 () yahoo com>My general question is just when do I need to do something other than just check my firewall logs for the source address and verify they weren't successful in gaining access anywhere vs. actually reporting an incident.Why do anything? The general sense is that the return doesn't really justify the time required to report such things. So, if the scans are unsuccessful, why bother with them at all? Seems like a colossal waste of time...You could write a script to automatically scan them back, if they know you're watching they'll probably be less interested in messing with
you.
Chris Berry compjma () hotmail com Systems Administrator JM Associates "Live dangerously, overclock your servers." _________________________________________________________________ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail
Current thread:
- Incident Response netsec novice (Dec 05)
- <Possible follow-ups>
- Re: Incident Response netsec novice (Dec 06)
- Re: Incident Response H C (Dec 09)
- Re: Incident Response Chris Berry (Dec 10)
- Re: Incident Response Byrne Ghavalas (Dec 10)
- Re: Incident Response Meritt James (Dec 11)
- Re: Incident Response Byrne Ghavalas (Dec 10)