Security Basics mailing list archives
Re: Dealing with port/vulnerability scans
From: krymson () gmail com
Date: Tue, 24 Nov 2009 15:53:13 -0700
I tend to allow port scans, IP scans, and full blown vulnerability scans to populate my IDS/IPS with alerts. However, I can always clear/approve them out. In fact, most of the time I just leave the port/ip scans up on my dashboard in case there are follow-up attacks. This might let me quickly see that the original scans were just recon to a real attack. I prefer to see them than to tune them out and with it real attacks. Likewise, an auditor will be a bit annoyed if she scans your system and you look blankly at her because you're ignoring those scans. If you have a specific box (ip) that does vuln scans on your own systems, feel free to add specific ignores on those alerts after you see them. Let them fire in just so you know what they look like and what to specifically ignore. I wouldn't ignore that whole box completely, as suddenly you've created a black hole and you'll never see if that system gets subverted or untrusted. 1. I'm not a big fan of blocking IPs, as I have seen small instances where a legit customer is behind a proxy or NAT and one bad apple triggers a block that locks out the whole facility. Not cool. That's when you get the business telling security how to do its job (by not blocking). 2. I consider this a matter of what you feel comfortable doing. I'd first suggest you report it to the originating IP, but don't expect too many responses or actions.. I would not fault anyone for not bothering to waste their time. If you do report it, that's about it. Report it and move on. Try to give so much information up front that there is no need to keep it fresh in memory for follow-up questions. I fall on the side of preferring more information than less. If I don't have enough, I may get rid of the clutter, but I lose a lot of context and correlation that may indicate something broader. I've seen just as many instances where an aggregation of alerts means more than a single alert. <soapbox> Keep in mind an IDS/IPS dashboard is not meant to show only the worst attacks and then nothing else and be clean. It is meant to show everything that *may* be an attack; that way you *will hopefully* see every attack. Sifting through false positives and investigating suspicious entries is the job of an analyst. No automation will ever replace that. </soapbox> <- snip -> Hi, I'm tuning my IDS and I'm thinking of taking out the portscan/web vulnerability scan rules. Why? Because, yes - I know that somebody may be scanning my network - but, what can I do about it? 1. Block the IP? But, what if its NAT - meaning only 1 workstation/user did the port scanning, I would be blocking all the possibly valid users behind that IP. 2. Report it to their ISP or to them? Then what? I want my IDS console not to be too cluttered that's why I'm tuning it. If its too cluttered - I might be missing out the really important alerts. What about you? How do you deal with port/vulnerability scans? Is it illegal btw? Thanks. Best, Tony ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Dealing with port/vulnerability scans krymson (Sep 10)