RE: Odd scans and stuff bouncing off firewalls
From: Steve Vawter (svawter@sigma.net)Date: 08/13/02
- Previous message: Nexus: "Odd scans and stuff bouncing off firewalls"
- Maybe in reply to: Nexus: "Odd scans and stuff bouncing off firewalls"
- Next in thread: Greg A. Woods: "RE: Odd scans and stuff bouncing off firewalls"
- Next in thread: Craig Billado: "Re: Odd scans and stuff bouncing off firewalls"
- Next in thread: Robert Buckley: "RE: Subseven Scans"
- Reply: Greg A. Woods: "RE: Odd scans and stuff bouncing off firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 13 Aug 2002 09:57:33 -0700 From: Steve Vawter <svawter@sigma.net> To: Nexus <nexus@patrol.i-way.co.uk>
Another reason (other than using the numbers for cash) that I can see is
that they might better help decipher where an attack that made it
through the filters came from. If you only have the few packets that
made it through to use to backtrack to an attacker, it may be harder to
find them.
But, of course, without the right data filters, finding the pattern in
the chaos is near impossible sometimes...
-------- Original Message --------
Subject: Odd scans and stuff bouncing off firewalls
Date: Tue 8/13/2002 8:58 AM
From: Nexus [nexus@patrol.i-way.co.uk]
To: incidents@securityfocus.com
Just a quick straw poll to see if anyone has any hard data that supports
the logging and analysis of traffic that bounces off of filtering devices as
part of a business security plan ? Other than generating attack metrics to
wave under the noses of senior managment at budget time, is there any
definite _business_ requirement to have IDS sensors outside the firewall
or firewall "drop" logs et al regularly examined in the context of
"external" attack sources ?
"We defended against X bazillion hack attacks last year so we need a
bigger budget for more stuff.." BableFish (H2G2 version) : "Tons of port
scans and worms from non accountable netblocks bounced off of the firewall"
I don't bother to chase anything from anywhere unless it makes it
through the filters because I could care less and it would IMHO purely
be a time sink and even then only if it's from a netblock that has a
whois abuse@
entry. As I said, this is purely my own view, on my own network knowing
the sheer amount of background radiation on the internet, so I would
appreciate some other points of view.
Cheers.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Nexus: "Odd scans and stuff bouncing off firewalls"
- Maybe in reply to: Nexus: "Odd scans and stuff bouncing off firewalls"
- Next in thread: Greg A. Woods: "RE: Odd scans and stuff bouncing off firewalls"
- Next in thread: Craig Billado: "Re: Odd scans and stuff bouncing off firewalls"
- Next in thread: Robert Buckley: "RE: Subseven Scans"
- Reply: Greg A. Woods: "RE: Odd scans and stuff bouncing off firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
