Re: Incident Response
From: Byrne Ghavalas (security@nscs.uk.com)
Date: 12/10/02
- Previous message: Sterling Davis: "Re: RE: WLAN Sniffer - Observer Eval"
- In reply to: Chris Berry: "Re: Incident Response"
- Next in thread: Meritt James: "Re: Incident Response"
- Reply: Meritt James: "Re: Incident Response"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Byrne Ghavalas" <security@nscs.uk.com> To: <security-basics@securityfocus.com> Date: Tue, 10 Dec 2002 18:40:45 -0000
Hi,
I wouldn't recommend writing a script to 'automatically scan them back',
for several reasons. The most obvious reason is that some scans are
simply spoofed. If a script 'automatically scanned them back', it would
be quite easy to get the script to scan innocent sites.
Naturally there are several other moral and legal reasons for not
writing such a script, but I believe they are off topic for this thread.
With regards to the original question - I agree that there is no need to
take further action. Provided the firewall logs are showing that the
packets are dropped and the application server logs also appear normal,
nothing further needs to be done.
Reporting of incidents can take quite a lot of effort. If one believes
that an incident is serious enough or warrants reporting, by all means
do so.
Kind regards,
Byrne Ghavalas
----- Original Message -----
From: "Chris Berry" <compjma@hotmail.com>
To: <security-basics@securityfocus.com>
Sent: Monday, December 09, 2002 9:25 PM
Subject: Re: Incident Response
> >From: H C <keydet89@yahoo.com>
> > > My general question is just when do I need to do
> > > something other than just check my firewall logs for
> > > the source address and verify they weren't successful in
> > > gaining access anywhere vs. actually reporting an
> > > incident.
> >
> >Why do anything? The general sense is that the return
> >doesn't really justify the time required to report
> >such things. So, if the scans are unsuccessful, why
> >bother with them at all? Seems like a colossal waste
> >of time...
>
> You could write a script to automatically scan them back, if they know
> you're watching they'll probably be less interested in messing with
you.
>
> Chris Berry
> compjma@hotmail.com
> Systems Administrator
> JM Associates
>
> "Live dangerously, overclock your servers."
>
>
>
>
>
>
>
> _________________________________________________________________
> Tired of spam? Get advanced junk mail protection with MSN 8.
> http://join.msn.com/?page=features/junkmail
>
>
- Next message: Robinson, Sonja: "RE: Providing Visitor Access"
- Previous message: Sterling Davis: "Re: RE: WLAN Sniffer - Observer Eval"
- In reply to: Chris Berry: "Re: Incident Response"
- Next in thread: Meritt James: "Re: Incident Response"
- Reply: Meritt James: "Re: Incident Response"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
