Re: Handling Scans.

["Reeves, Mike" <MReeves () SYNCHRONY NET>]

        I personally would not have it autosend just autogenerated. We could
be bringing on a financial institute as a customer and they handle scans
very seriously. (Like all should be investigated) To me the scans are
harmless... I have all ICMP error messages turned off... everything is
behind a firewall.... Usually all they get is available hosts and tcpip
fingerprinting from ICMP echo. I can be scanned all day.. don't bother me. I
am just getting pressure from people up the food chain from me. The reason I
started this thread was to see what other people out there are doing in
their own situations.

Mike

-----Original Message-----
From: Abe Getchell [mailto:agetchel () KDE STATE KY US]
Sent: Tuesday, February 13, 2001 2:37 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Handling Scans.


Hi Abel,
        Generating an e-mail automatically to be sent to an outside
organization can be a dangerous game to play.  For instance, if I were mad
at Microsoft I could spoof a scan from their address range toward your
network and fill up their security admin's mailbox with e-mail.  Same thing
with automatically pushing rules out to a firewall ala ISS as many other
members of this list have mentioned they are doing.  I could scan your
network and spoof my IP address with the 13 root DNS servers and watch your
network crash and burn as your IDS pushes out a rule blocking all traffic
coming from these systems.  Automating _any_ action which deny's or grants
access to network resources is a _Bad Thing_.  Security decisions, including
the handling of security incidents, should _always_ be handled by security
staff.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/



> -----Original Message-----
> From: abel wisman [mailto:abel () ABLE-TOWERS COM]
> Sent: Monday, February 12, 2001 12:31 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: Handling Scans.
>
>
> This matter is interesting, and i was thinking about it upion
> reading the
> previous posting.
> As a shell/web host, the numbers of scans that pass by daily
> are staggering,
> certainly i would like to sit down and write to all isp's about their
> 'clients" doing this, however time is a elusive artivle nowadays.
>
> Has (in addition to the question already asked) anybody mae
> (perhaps) a
> automated system based on for instance iplog, snort or
> tripwire, where mail
> is generated to do this automatically?
>
> would be an interesting feature
>
> abel wisman
> ABLE Towers LLC
>
> www.able-towers.com
> www.url.org
>
> On Monday 12 February 2001 10:28, Reeves, Mike wrote:
> > I was trying to get some community type feedback on what
> people usually do
> > in handling scans of thier networks. At home I usually look
> back at the
> > person scanning me. I get scanned about 5 times a day.
> Should I take the
> > time to contact the admin or should I just let it go? What
> do most people
> > do?
> >
> > Mike K. Reeves
> > Networking Services Engineer,
> > Synchrony Communications, Inc.
> > MCSE Microsoft Certified System Eliminator
> > "Geek by nature... Linux By Choice..."