Re: Interesting reply

["Andersen, Bryan" <bryan () VISI COM>]

> > Interesting reply to a scanning alert I sent out.
>
> Nothing personal to anyone...but if you've got time to
> report every little port scan that you get (call it
> what you will...scan, probe, whatever...) then you've
> got a LOT of time on your hands!

Only an hour a week...

> After reading this list, and others on SF...I still
> fail to see why so many folks are reporting port
> scans, expecting the folks at ISPs to "do something"
> about them.  First off...port scans, in and of
> themselves, are nothing more than a minor annoyance at
> best (insert appropriate analogy here).  If a scan
> reaches a level that it's consuming an inordinate
> amount of bandwidth, then it ceases to be a scan and
> becomes a DoS attack.

I agree that a port scan maybe a minor annoyance.  So I've made it a
minor task to create and send scanning reports.  I maby average 5
minutes per report sent.  Most of the work is done by filters and
scripts.  I just cut and paste then do fine tuning edits.  For a scan
that signature I've seen before it's maby a minute task to create and
send a report.  For a new signature I spend a bit more time possibly
adding code to my filters, or adding a new template to my reporting
templates.  Even then I don't send reports on all scans I see.  I
usually concentrate on anything that looks interesting and ones that
have a new pattern to me.  When I have time I try to send reports on
all the scans I see as I know I will see a drop in the number of
scans in following weeks if I do.  I also see it as a way to make
the cracker's life a little bit harder.  As said, I usually spend
only and hour a week on it.

-- Bryan