Re: Incident response to being scanned

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <20030425051605.5458.qmail () www securityfocus com>


> What is considered the best practice for dealing with
these incidents? 
> Should I be filing abuse reports with the ISPs of the
source IPs?  This 
> obviously takes time.  I am looking for a business
case to justify the 
> time spent responding.  

If you're being scanned, that just means that you're
connected to the Internet.  The fact that the scans are
not successful, and are being dropped, is a good thing.  

I guess my question is why would you waste time
following up on each and every scan?  Perhaps the
reason you're having trouble developing a business case
for this investment of time and energy is that...well,
there isn't one.  

I followed up on a Nimda scan...once.  But that's b/c
the same IP kept showing up in my logs for three
consecutive days.  Other than that...forget it.  

Harlan

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------