Snort mailing list archives
Re: What do you with scan alerts
From: Erick Mechler <emechler () techometer net>
Date: Wed, 19 Feb 2003 07:39:06 -0800
:: What do you normally do with scans that you get on :: your network, should I mail them to responsible ISP or :: univeristy etc. or should I keep ignoring them. The answer to this depends on the security policy you have in place. If you really do care about port scans, or perhaps just one-off port probes, then by all means write the owner of the source IP and ask them to stop, disable the IP, take action against the owner, etc. If you get hundreds or thousands of these a day and you just can't respond to all of them, you need to decide what your threshold is. For example, if someone tries a web-specific exploit 100 times, I'm probably not going to bother. However, if someone scans entire /24's and generates nearly 7k alerts, it's going to get noticed, and chances are I'm probably going to do something about it. These numbers are completely arbitrary and depend on several factors: 1. How important port scans really are to you 2. How busy you are 3. How many alerts you get in a given hour/day/week 4. How good your contacts are at ISPs :) I'd say it's common sentiment that port scans aren't really that threatening by themselves (assuming, of course, your firewalls are doing what they're supposed to). However, they can be a sign for attacks to come, and they can be very useful for determining how someone gained unauthorized access during a post-mortem. Cheers - Erick ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What do you with scan alerts pro0digy (Feb 18)
- Re: What do you with scan alerts Erick Mechler (Feb 19)
- Re: What do you with scan alerts Charles Darwin (Feb 20)