Security Incidents mailing list archives
Re: Scanning Port UDP 4668
From: H C <keydet89 () yahoo com>
Date: Tue, 23 Jul 2002 10:18:34 -0700 (PDT)
I'm really kind of suprised that a CISSP is taking this approach to such a problem.Why? what is wrong in asking the community when one has done all the research he was able to do? Isn't it what this list is for? And how do you know why he is asking - maybe his security policy asks him to investigate this specific case?
Unfortunately, you've missed the point as well. Of course, there is nothing wrong w/ "asking the community". However, for a CISSP who works for FedCERT to ask the question that Ken did is ludicrous.
packets headed for this port. Fine. *How* didtheyfind them? Were they dropped by a firewall? If so...so what? Better to spend the time on thingsthatmatter than chasing after shiny objects.Again, I prefer not to teach a person to do his job unless I am asked for this :)
Okay, that's your stance. However, there are cases in which people need to be taught how to do their jobs.
Maybe this system is so crytical that it is needed to investigate a slightest possibility of compromise/unknown exploit?
Okay, so you choose to make an entirely different set of assumptions with regard to this issue. That's fine. I happen to see it differently...a couple of datagrams were presumably dropped at the firewall, and no data from those datagrams was collected. All we know is the destination port. Looking for what *should* be on that port, based on port listings, has long been shown to be a waste of time as far as finding an answer is concerned.
And what is wrong with pure curiosity? :)
Nothing at all.
Were they logged by an IDS? If so, what data is carried in the datagram?He said it was a scan, so presumably the data portion was empty.
That's your assumption. I didn't make that assumption...I asked for clarification.
If they find nothing, this still will not answer the question on what the scanning person was looking
for. Maybe. But if something *is* found, then it would answer the question. Also, regards to the scan...if the datagrams were dropped, and the scan had no other effect than to add a couple of lines to the log files...who cares? A CISSP should know that in the big scheme of things, and as far as day-to-day security operations are concerned, such an event is irrelevant. A CISSP should also know not to waste a customer's time (and money) pursuing such things, particularly when there are other, more important things to be handled and investigated.
P.S. Yes, I'm a CISSP too :)
Goody for you! My CISSP served it's purpose...it got me past the headhunters and HR folks so I could actually get an interview...so I let it expire. I really didn't get any other value from it...it wasn't worth the annual subscription fee. __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Scanning Port UDP 4668 Ken Grossman (Jul 22)
- Re: Scanning Port UDP 4668 H C (Jul 22)
- Re: Scanning Port UDP 4668 Vitaly Osipov (Jul 23)
- Re: Scanning Port UDP 4668 H C (Jul 23)
- Re: Scanning Port UDP 4668 Vitaly Osipov (Jul 23)
- <Possible follow-ups>
- RE: Scanning Port UDP 4668 Lucas (Jul 22)
- Re: Scanning Port UDP 4668 GabyHornik (Jul 23)
- Re: Scanning Port UDP 4668 H C (Jul 22)