Re: Scanning Port UDP 4668

[H C <keydet89 () yahoo com>]

> > I'm really kind of suprised that a CISSP is taking
> > this approach to such a problem.
>
> Why? what is wrong in asking the community when one
> has done all the
> research he was able to do? Isn't it what this list
> is for? And how do you
> know why he is asking - maybe his security policy
> asks him to investigate this specific case?

Unfortunately, you've missed the point as well.  Of
course, there is nothing wrong w/ "asking the
community".  However, for a CISSP who works for
FedCERT to ask the question that Ken did is ludicrous.
 

 
> > packets headed for this port.  Fine.  *How* did
> they
> > find them?    Were they dropped by a firewall?  If
> > so...so what?  Better to spend the time on things
> that
> > matter than chasing after shiny objects.
>
> Again, I prefer not to teach a person to do his job
> unless I am asked for this :)

Okay, that's your stance.  However, there are cases in
which people need to be taught how to do their jobs.

> Maybe this system is so crytical that it is needed
> to investigate a
> slightest possibility of compromise/unknown exploit?

Okay, so you choose to make an entirely different set
of assumptions with regard to this issue.  That's
fine.  I happen to see it differently...a couple of
datagrams were presumably dropped at the firewall, and
no data from those datagrams was collected.  All we
know is the destination port.  Looking for what
*should* be on that port, based on port listings, has
long been shown to be a waste of time as far as
finding an answer is concerned.  

> And what is wrong with pure curiosity? :)

Nothing at all.  
 
> > Were they logged by an IDS?  If so, what data is
> > carried in the datagram?
>
> He said it was a scan, so presumably the data
> portion was empty.

That's your assumption.  I didn't make that
assumption...I asked for clarification.  
 
> If they find nothing, this still will not answer the
> question on what the scanning person was looking
for.

Maybe.  But if something *is* found, then it would
answer the question.

Also, regards to the scan...if the datagrams were
dropped, and the scan had no other effect than to add
a couple of lines to the log files...who cares?  A
CISSP should know that in the big scheme of things,
and as far as day-to-day security operations are
concerned, such an event is irrelevant.  A CISSP
should also know not to waste a customer's time (and
money) pursuing such things, particularly when there
are other, more important things to be handled and
investigated.

> P.S. Yes, I'm a CISSP too :)

Goody for you!  My CISSP served it's purpose...it got
me past the headhunters and HR folks so I could
actually get an interview...so I let it expire.  I
really didn't get any other value from it...it wasn't
worth the annual subscription fee.


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com