Security Basics mailing list archives

Re: Incident Response

From: "Byrne Ghavalas" <security () nscs uk com>
Date: Tue, 10 Dec 2002 18:40:45 -0000

Hi,

I wouldn't recommend writing a script to 'automatically scan them back',
for several reasons.  The most obvious reason is that some scans are
simply spoofed. If a script 'automatically scanned them back', it would
be quite easy to get the script to scan innocent sites.

Naturally there are several other moral and legal reasons for not
writing such a script, but I believe they are off topic for this thread.

With regards to the original question - I agree that there is no need to
take further action.  Provided the firewall logs are showing that the
packets are dropped and the application server logs also appear normal,
nothing further needs to be done.

Reporting of incidents can take quite a lot of effort. If one believes
that an incident is serious enough or warrants reporting, by all means
do so.

Kind regards,

Byrne Ghavalas

----- Original Message -----
From: "Chris Berry" <compjma () hotmail com>
To: <security-basics () securityfocus com>
Sent: Monday, December 09, 2002 9:25 PM
Subject: Re: Incident Response

From: H C <keydet89 () yahoo com>

My general question is just when do I need to do
something other than just check my firewall logs for
the source address and verify they weren't successful in
gaining access anywhere vs. actually reporting an
incident.


Why do anything?  The general sense is that the return
doesn't really justify the time required to report
such things.  So, if the scans are unsuccessful, why
bother with them at all?  Seems like a colossal waste
of time...


You could write a script to automatically scan them back, if they know
you're watching they'll probably be less interested in messing with

you.


Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Live dangerously, overclock your servers."







_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8.
http://join.msn.com/?page=features/junkmail

Current thread:

Incident Response netsec novice (Dec 05)
- <Possible follow-ups>
- Re: Incident Response netsec novice (Dec 06)
- Re: Incident Response H C (Dec 09)
- Re: Incident Response Chris Berry (Dec 10)
  - Re: Incident Response Byrne Ghavalas (Dec 10)
    - Re: Incident Response Meritt James (Dec 11)