Security Incidents mailing list archives
Re: Interesting reply
From: "Andersen, Bryan" <bryan () VISI COM>
Date: Wed, 27 Sep 2000 10:16:57 -0500
Interesting reply to a scanning alert I sent out.Nothing personal to anyone...but if you've got time to report every little port scan that you get (call it what you will...scan, probe, whatever...) then you've got a LOT of time on your hands!
Only an hour a week...
After reading this list, and others on SF...I still fail to see why so many folks are reporting port scans, expecting the folks at ISPs to "do something" about them. First off...port scans, in and of themselves, are nothing more than a minor annoyance at best (insert appropriate analogy here). If a scan reaches a level that it's consuming an inordinate amount of bandwidth, then it ceases to be a scan and becomes a DoS attack.
I agree that a port scan maybe a minor annoyance. So I've made it a minor task to create and send scanning reports. I maby average 5 minutes per report sent. Most of the work is done by filters and scripts. I just cut and paste then do fine tuning edits. For a scan that signature I've seen before it's maby a minute task to create and send a report. For a new signature I spend a bit more time possibly adding code to my filters, or adding a new template to my reporting templates. Even then I don't send reports on all scans I see. I usually concentrate on anything that looks interesting and ones that have a new pattern to me. When I have time I try to send reports on all the scans I see as I know I will see a drop in the number of scans in following weeks if I do. I also see it as a way to make the cracker's life a little bit harder. As said, I usually spend only and hour a week on it. -- Bryan
Current thread:
- Interesting reply Bryan Andersen (Sep 27)
- <Possible follow-ups>
- Re: Interesting reply H Carvey (Sep 27)
- Re: Interesting reply Andersen, Bryan (Sep 27)
- Re: Interesting reply Rick Ballard (Sep 28)
- Re: Interesting reply Joe McAlerney (Sep 28)
- Re: Interesting reply H Carvey (Sep 28)
- Re: Interesting reply Buhrmaster, Gary (Sep 28)