Security Incidents mailing list archives
Re: Handling Scans.
From: "Reeves, Mike" <MReeves () SYNCHRONY NET>
Date: Tue, 13 Feb 2001 15:20:42 -0500
I personally would not have it autosend just autogenerated. We could be bringing on a financial institute as a customer and they handle scans very seriously. (Like all should be investigated) To me the scans are harmless... I have all ICMP error messages turned off... everything is behind a firewall.... Usually all they get is available hosts and tcpip fingerprinting from ICMP echo. I can be scanned all day.. don't bother me. I am just getting pressure from people up the food chain from me. The reason I started this thread was to see what other people out there are doing in their own situations. Mike -----Original Message----- From: Abe Getchell [mailto:agetchel () KDE STATE KY US] Sent: Tuesday, February 13, 2001 2:37 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Handling Scans. Hi Abel, Generating an e-mail automatically to be sent to an outside organization can be a dangerous game to play. For instance, if I were mad at Microsoft I could spoof a scan from their address range toward your network and fill up their security admin's mailbox with e-mail. Same thing with automatically pushing rules out to a firewall ala ISS as many other members of this list have mentioned they are doing. I could scan your network and spoof my IP address with the 13 root DNS servers and watch your network crash and burn as your IDS pushes out a rule blocking all traffic coming from these systems. Automating _any_ action which deny's or grants access to network resources is a _Bad Thing_. Security decisions, including the handling of security incidents, should _always_ be handled by security staff. Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchel () kde state ky us Web http://www.kde.state.ky.us/
-----Original Message----- From: abel wisman [mailto:abel () ABLE-TOWERS COM] Sent: Monday, February 12, 2001 12:31 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Handling Scans. This matter is interesting, and i was thinking about it upion reading the previous posting. As a shell/web host, the numbers of scans that pass by daily are staggering, certainly i would like to sit down and write to all isp's about their 'clients" doing this, however time is a elusive artivle nowadays. Has (in addition to the question already asked) anybody mae (perhaps) a automated system based on for instance iplog, snort or tripwire, where mail is generated to do this automatically? would be an interesting feature abel wisman ABLE Towers LLC www.able-towers.com www.url.org On Monday 12 February 2001 10:28, Reeves, Mike wrote:I was trying to get some community type feedback on whatpeople usually doin handling scans of thier networks. At home I usually lookback at theperson scanning me. I get scanned about 5 times a day.Should I take thetime to contact the admin or should I just let it go? Whatdo most peopledo? Mike K. Reeves Networking Services Engineer, Synchrony Communications, Inc. MCSE Microsoft Certified System Eliminator "Geek by nature... Linux By Choice..."
Current thread:
- Re: Handling Scans., (continued)
- Re: Handling Scans. Eelco Duijker (Feb 15)
- Re: Handling Scans. Joe Shaw (Feb 13)
- Re: Handling Scans. Michael Boman (Feb 13)
- Re: Handling Scans. Richard Johnson (Feb 13)
- Re: Handling Scans. Harlan S. Barney, Jr. (Feb 13)
- Re: Handling Scans. Booke, Raymond (Feb 12)
- Re: Handling Scans. Reeves, Mike (Feb 12)
- Re: Handling Scans. Timothy Lyons (Feb 12)
- Re: Handling Scans. Guillaume Filion (Feb 12)
- Re: Handling Scans. Abe Getchell (Feb 13)
- Re: Handling Scans. Reeves, Mike (Feb 13)
- Re: Handling Scans. Reeves, Mike (Feb 13)
- Re: Handling Scans. Valdis Kletnieks (Feb 13)
- Re: Handling Scans. John Nemeth (Feb 14)
- Re: Handling Scans. John Nemeth (Feb 14)
- Re: Handling Scans. Justin Shore (Feb 14)
- Re: Handling Scans. John Oliver (Feb 14)