Security Incidents mailing list archives
Re: Scanning. Is it dangerous?
From: pain () ROYAL NET (Igor Gashinsky)
Date: Wed, 3 May 2000 00:10:10 -0400
Roelof, Some IDS's have multiple "levels", and you could use a lower level for scans then you would if it detected what looks like BackOrifice or Loki on your network. However, you will always find yourself "disregarding" [read as: examine it, and see that it's a false positive] alerts from your IDS, so one more, and esp a portscan detect should not make life much more difficult, and would greatly add to your analysts awareness of who is going after what. -Igor Gashinsky, GCIA (pain () royal net) "It is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct-wired terminals, put the machine and its terminals in a shielded room, and post an armed guard at the door." At 11:34 AM 5/1/00 +0200, Roelof Temmingh wrote:
I agree. I want to extend the discussion to the configuration of Intrusion Detection Systems. Should an IDS trigger on a portscan from outside? For me this does not make sense. As soon as you disregard 1 warning from an IDS you can just as well throw it out the window - and a small to medium Internet-connected company will receive between 2 and 10 scans a week. my 2c, Roelof ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof () sensepost com +27 83 448 6996 http://www.sensepost.com On Sat, 29 Apr 2000, Sarunas Krivickas wrote: +Hi folks, + +As I see, almost everyone there are worried about some kind of scanning for +own subnets, ports, etc. Do you think it is real danger to you system? So if +it is true, the scans as a dangerous actions has to be recognized in your +risk management and IT security policy. Does the simple scan of your system +has the right place in your policy and also is the trigger to initiate +actions and rise the alarm? Of course, we are able to recognize DoS or +something like that, but almost all incidents there are talking about +simple, usual and not dangerous actions. Yes, you have to think about this +kind of actions (I do not call it as attack) if your system is totally +unprotected. +Lets go to discuss a little bit about subject! +My question is how the recognized simple scanning is described in your IT +security policy and why scanning is so dangerous for you? + +Regards, +Sarunas +
Current thread:
- DNS Probes, (continued)
- DNS Probes Damian Gerow (May 01)
- Re: Scanning. Is it dangerous? John D. Burkett (May 01)
- Re: Scanning. Is it dangerous? Rune Kristian Viken (May 07)
- Re: Scanning. Is it dangerous? Ryan Russell (May 01)
- Re: Scanning. Is it dangerous? jms (May 02)
- Re: Scanning. Is it dangerous? Jose Nazario (May 03)
- Scanning. Is it a consumer right? ethan preston (May 02)
- Re: Scanning. Is it dangerous? jms (May 02)
- Re: Scanning. Is it dangerous? Russell Fulton (May 01)
- Re: Scanning. Is it dangerous? -reply Joseph, Lorne (May 01)
- Re: Scanning. Is it dangerous? Don Tansey (May 01)
- Re: Scanning. Is it dangerous? Igor Gashinsky (May 02)