Security Basics mailing list archives
RE: Incident response to being scanned
From: "Fields, James" <James.Fields () bcbsfl com>
Date: Fri, 25 Apr 2003 13:44:58 -0400
Bob, I see the same here. I'm also trying to come up with a standard methodology for dealing with these. We do automatic temporary blocking of source addresses based on a limited selection of IDS signatures, but that doesn't fix the problem - in particular a lot of these are probably coming from infected systems elsewhere, and the owners may not know they have a problem. At my company we have a Computer Security department that is supposed to handle "policy" while I handle infrastructure - the actual implementation of the corporate policy in the hardware. Our CS guys have never given us a really good incident response procedure to cover this. In the absence of that, I have taken the stance that if it is one hit from one source, I don't bother reporting it. If it is true scanning - multiple hits from the same source, or from several sources on the same subnet, I try one (and only one) attempt to reach the abuse address for that network if one exists. By the way - I've been getting more and more from European colleges and universities lately, and many from companies that have the same first octet in the IP address block as ours. -----Original Message----- From: Bob Kelley [mailto:b0bk3ll3yjr () adelphia net] Sent: Friday, April 25, 2003 1:16 AM To: security-basics () securityfocus com Subject: Incident response to being scanned In reviewing my firewall and web server logs, I see repeated attempts from several ip addresses to scan my network as well as infect my webserver with code red. The source addresses are not always the same. I am confident that I don't have any holes in my firewall and my webserver is up to date. I perform weekly vulnerability scans of my equipment to make sure I am covered. What is considered the best practice for dealing with these incidents? Should I be filing abuse reports with the ISPs of the source IPs? This obviously takes time. I am looking for a business case to justify the time spent responding. Thanks --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ---------------------------------------------------------------------------- Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU. --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- Incident response to being scanned Bob Kelley (Apr 25)
- RE: Incident response to being scanned David Gillett (Apr 28)
- Re: Incident response to being scanned security () nuvox net (Apr 28)
- <Possible follow-ups>
- RE: Incident response to being scanned Fields, James (Apr 28)
- RE: Incident response to being scanned Allan Schon (Apr 28)
- Re: Incident response to being scanned H Carvey (Apr 28)
- Re: RE: Incident response to being scanned Bob Kelley (Apr 28)
- RE: RE: Incident response to being scanned Security News (Apr 28)
- Re: Incident response to being scanned Paris Stone (Apr 28)
- Re: RE: Incident response to being scanned Frank Gearhart (Apr 29)