Re: Handling Scans.

[John Nemeth <jnemeth () VICTORIA TC CA>]

On Jul 5, 11:43am, "E, M" wrote:
}
} An irritation can morph into destructive at its next code evolution;
} thus the priority of other-ISP involvement changes from 'hello, you have
} a naughty user' to '#%$@! you need to do something about this *now*!'.
} Will an auto-responder differentiate, know which ones require the
} '#%$@!' notification, which ones need follow-up?   How about the ISP?
} Are they more likely to black-hole an auto-notification?  (lol I have no
} clue to the answers to these questions, btw.)

     I tend to bit bucket them.

     As an example, on one day I got two complaints that one of my
systems was port scanning people.  One came from a Windows user that
had BlackIce, ZoneAlarm, or something like that.  The other came from a
Linux user that was using ipchains and perhaps snort or something
similar.  The port scan in question was simply an ident query.  Both
complaints were tossed straight into the bit bucket without a
response.  If I get complaints from people that are totally clueless
about perfectly normal things, I just toss them.  I don't have nearly
enough time as is...

} I'm an old-fashioned girl: clinging to the idea that human judgment and
} consistent hands-on monitoring are a necessary component of  security.

     I just like to add that it has to be done by somebody that
actually has a clue.

}-- End of excerpt from "E, M"