Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What do you with scan alerts

From: Erick Mechler <emechler () techometer net>
Date: Wed, 19 Feb 2003 07:39:06 -0800
:: What do you normally do with scans that you get on
:: your network, should I mail them to responsible ISP or
:: univeristy etc. or should I keep ignoring them.

The answer to this depends on the security policy you have in place.  If
you really do care about port scans, or perhaps just one-off port probes,
then by all means write the owner of the source IP and ask them to stop,
disable the IP, take action against the owner, etc.  If you get hundreds or 
thousands of these a day and you just can't respond to all of them, you 
need to decide what your threshold is.

For example, if someone tries a web-specific exploit 100 times, I'm 
probably not going to bother.  However, if someone scans entire /24's and 
generates nearly 7k alerts, it's going to get noticed, and chances are I'm 
probably going to do something about it.  These numbers are completely 
arbitrary and depend on several factors:

  1. How important port scans really are to you
  2. How busy you are
  3. How many alerts you get in a given hour/day/week
  4. How good your contacts are at ISPs :)

I'd say it's common sentiment that port scans aren't really that 
threatening by themselves (assuming, of course, your firewalls are doing 
what they're supposed to).  However, they can be a sign for attacks to 
come, and they can be very useful for determining how someone gained 
unauthorized access during a post-mortem.

Cheers - Erick


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: