Re: Incident response to being scanned

• Previous message: Security News: "RE: RE: Incident response to being scanned"
• Maybe in reply to: Bob Kelley: "Incident response to being scanned"
• Next in thread: Paris Stone: "Re: Incident response to being scanned"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 27 Apr 2003 11:39:43 -0000
To: security-basics@securityfocus.com

>What is considered the best practice for dealing with
these incidents?
>Should I be filing abuse reports with the ISPs of the
source IPs? This
>obviously takes time. I am looking for a business
case to justify the
>time spent responding.

If you're being scanned, that just means that you're
connected to the Internet. The fact that the scans are
not successful, and are being dropped, is a good thing.

I guess my question is why would you waste time
following up on each and every scan? Perhaps the
reason you're having trouble developing a business case
for this investment of time and energy is that...well,
there isn't one.

I followed up on a Nimda scan...once. But that's b/c
the same IP kept showing up in my logs for three
consecutive days. Other than that...forget it.

Harlan

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------

• Previous message: Security News: "RE: RE: Incident response to being scanned"
• Maybe in reply to: Bob Kelley: "Incident response to being scanned"
• Next in thread: Paris Stone: "Re: Incident response to being scanned"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: interoperability of VPN checkpoint FW1 to ISA ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... Register today to ... (Focus-Microsoft) RE: interoperability of VPN checkpoint FW1 to ISA ... However, CheckPoint has one little ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... (Focus-Microsoft) RE: interoperability of VPN checkpoint FW1 to ISA ... If you are not the intended recipient be aware that any ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... (Focus-Microsoft) Re: Zenworks ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... (Security-Basics) RE: Log on the domain ... whether a given user account can be used from the "console" keyboard ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... (Security-Basics)