Nmap Announce mailing list archives

Re: can/should

From: Jose Nazario <jose () biocserver BIOC CWRU Edu>
Date: Wed, 24 May 2000 10:39:19 -0400 (EDT)

On Tue, 23 May 2000, Barry Hudson wrote:

As a new firewall admin I have a question for the white hats.  I log
port scans and do a whois to locate the ISP that owns the ip address.  
My questions is what else can/should be done.  I have no other reason
to believe they got through or committed any crime.  What else are you
guys doing?  I hope this is not to far off topic.


we had this conversation last month on INCIDENTS (www.securityfocus.com).
my approach is to note to the domain and site admins that 'hey, soneone is
scanning'. while not a crime, it's often a prelude to a crime and goes
against most AUPs (scanning without concent of the target). it can be a
sign of more insidious activity or a compromised machine, so i say fire
off a note noting the scan. many other felt similarily, and many other
felt that a scan is not a crime and happens so often you should ignore it.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc

Current thread:

can/should Barry Hudson (May 23)
- Re: can/should Mr. Man (May 24)
- Re: can/should Security (May 24)
  - Re: can/should Thomas Reinke (May 24)
  - Re: can/should Ola Nyström (May 25)
- Re: can/should Jose Nazario (May 24)
- Re: can/should Eric Hancock (May 24)
- Re: can/should Bennett Todd (May 24)
- <Possible follow-ups>
- RE: can/should Gallicchio, Florindo (2282) (May 24)
- RE: can/should Dion Stempfley (May 24)
  - RE: can/should Sean Ellis (May 24)
- RE: can/should Crye, Michael (May 24)
- RE: can/should Jonathan Day (May 25)
- Re: can/should John Mee (May 25)