Security Incidents mailing list archives

Re: Handling Scans.

From: Abe Getchell <agetchel () KDE STATE KY US>
Date: Tue, 13 Feb 2001 14:37:22 -0500

Hi Abel,
        Generating an e-mail automatically to be sent to an outside
organization can be a dangerous game to play.  For instance, if I were mad
at Microsoft I could spoof a scan from their address range toward your
network and fill up their security admin's mailbox with e-mail.  Same thing
with automatically pushing rules out to a firewall ala ISS as many other
members of this list have mentioned they are doing.  I could scan your
network and spoof my IP address with the 13 root DNS servers and watch your
network crash and burn as your IDS pushes out a rule blocking all traffic
coming from these systems.  Automating _any_ action which deny's or grants
access to network resources is a _Bad Thing_.  Security decisions, including
the handling of security incidents, should _always_ be handled by security
staff.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/

-----Original Message-----
From: abel wisman [mailto:abel () ABLE-TOWERS COM]
Sent: Monday, February 12, 2001 12:31 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Handling Scans.

This matter is interesting, and i was thinking about it upion
reading the
previous posting.
As a shell/web host, the numbers of scans that pass by daily
are staggering,
certainly i would like to sit down and write to all isp's about their
'clients" doing this, however time is a elusive artivle nowadays.

Has (in addition to the question already asked) anybody mae
(perhaps) a
automated system based on for instance iplog, snort or
tripwire, where mail
is generated to do this automatically?

would be an interesting feature

abel wisman
ABLE Towers LLC

www.able-towers.com
www.url.org

On Monday 12 February 2001 10:28, Reeves, Mike wrote:

I was trying to get some community type feedback on what

people usually do

in handling scans of thier networks. At home I usually look

back at the

person scanning me. I get scanned about 5 times a day.

Should I take the

time to contact the admin or should I just let it go? What

do most people

do?

Mike K. Reeves
Networking Services Engineer,
Synchrony Communications, Inc.
MCSE Microsoft Certified System Eliminator
"Geek by nature... Linux By Choice..."

Current thread:

Re: Handling Scans., (continued)
- - - Re: Handling Scans. deviate (Feb 13)
  - Re: Handling Scans. Eelco Duijker (Feb 15)
- Re: Handling Scans. Joe Shaw (Feb 13)
  - Re: Handling Scans. Michael Boman (Feb 13)
- Re: Handling Scans. Richard Johnson (Feb 13)
- Re: Handling Scans. Harlan S. Barney, Jr. (Feb 13)
- Re: Handling Scans. Booke, Raymond (Feb 12)
- Re: Handling Scans. Reeves, Mike (Feb 12)
- Re: Handling Scans. Timothy Lyons (Feb 12)
- Re: Handling Scans. Guillaume Filion (Feb 12)
- Re: Handling Scans. Abe Getchell (Feb 13)
- Re: Handling Scans. Reeves, Mike (Feb 13)
- Re: Handling Scans. Reeves, Mike (Feb 13)
  - Re: Handling Scans. Valdis Kletnieks (Feb 13)
- Re: Handling Scans. John Nemeth (Feb 14)
- Re: Handling Scans. John Nemeth (Feb 14)
- Re: Handling Scans. Justin Shore (Feb 14)
  - Re: Handling Scans. John Oliver (Feb 14)