Re: Dealing with port/vulnerability scans

[krymson () gmail com]

I tend to allow port scans, IP scans, and full blown vulnerability scans to populate my IDS/IPS with alerts. However, I 
can always clear/approve them out. In fact, most of the time I just leave the port/ip scans up on my dashboard in case 
there are follow-up attacks. This might let me quickly see that the original scans were just recon to a real attack. I 
prefer to see them than to tune them out and with it real attacks. Likewise, an auditor will be a bit annoyed if she 
scans your system and you look blankly at her because you're ignoring those scans.

If you have a specific box (ip) that does vuln scans on your own systems, feel free to add specific ignores on those 
alerts after you see them. Let them fire in just so you know what they look like and what to specifically ignore. I 
wouldn't ignore that whole box completely, as suddenly you've created a black hole and you'll never see if that system 
gets subverted or untrusted.

1. I'm not a big fan of blocking IPs, as I have seen small instances where a legit customer is behind a proxy or NAT 
and one bad apple triggers a block that locks out the whole facility. Not cool. That's when you get the business 
telling security how to do its job (by not blocking).

2. I consider this a matter of what you feel comfortable doing. I'd first suggest you report it to the originating IP, 
but don't expect too many responses or actions.. I would not fault anyone for not bothering to waste their time. If you 
do report it, that's about it. Report it and move on. Try to give so much information up front that there is no need to 
keep it fresh in memory for follow-up questions.

I fall on the side of preferring more information than less. If I don't have enough, I may get rid of the clutter, but 
I lose a lot of context and correlation that may indicate something broader. I've seen just as many instances where an 
aggregation of alerts means more than a single alert.

<soapbox>
Keep in mind an IDS/IPS dashboard is not meant to show only the worst attacks and then nothing else and be clean. It is 
meant to show everything that *may* be an attack; that way you *will hopefully* see every attack. Sifting through false 
positives and investigating suspicious entries is the job of an analyst. No automation will ever replace that.
</soapbox>


<- snip ->
Hi,

I'm tuning my IDS and I'm thinking of taking out the portscan/web
vulnerability scan rules. Why? Because, yes - I know that somebody
may be scanning my network - but, what can I do about it?

1. Block the IP? But, what if its NAT - meaning only 1
workstation/user did the port scanning, I would be blocking all the
possibly valid users behind that IP.
2. Report it to their ISP or to them? Then what?

I want my IDS console not to be too cluttered that's why I'm tuning
it. If its too cluttered - I might be missing out the really
important alerts.

What about you? How do you deal with port/vulnerability scans? Is it
illegal btw?

Thanks.

Best,
Tony

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------