Security Incidents mailing list archives

Re: Scanning. Is it dangerous?

From: pain () ROYAL NET (Igor Gashinsky)
Date: Wed, 3 May 2000 00:10:10 -0400


Roelof,

        Some IDS's have multiple "levels", and you could use a lower level for
scans then you would if it detected what looks like BackOrifice or Loki on
your network. However, you will always find yourself "disregarding" [read
as: examine it, and see that it's a false positive] alerts from your IDS,
so one more, and esp a portscan detect should not make life much more
difficult, and would greatly add to your analysts awareness of who is going
after what.

-Igor Gashinsky, GCIA
   (pain () royal net)

"It is easy to run a secure computer system. You merely have to disconnect
all dial-up connections and permit only direct-wired terminals, put the
machine and its terminals in a shielded room, and post an armed guard at the
door."

At 11:34 AM 5/1/00 +0200, Roelof Temmingh wrote:

I agree. I want to extend the discussion to the configuration of Intrusion
Detection Systems. Should an IDS trigger on a portscan from outside? For me
this does not make sense. As soon as you disregard 1 warning from an IDS you
can just as well throw it out the window - and a small to medium
Internet-connected company will receive between 2 and 10 scans a week.

my 2c,
Roelof
------------------------------------------------------
Roelof W Temmingh              SensePost IT security
roelof () sensepost com                +27 83 448 6996
              http://www.sensepost.com                

On Sat, 29 Apr 2000, Sarunas Krivickas wrote:

+Hi folks,
+
+As I see, almost everyone there are worried about some kind of scanning for
+own subnets, ports, etc. Do you think it is real danger to you system? So if
+it is true, the scans as a dangerous actions has to be recognized in your
+risk management and IT security policy. Does the simple scan of your system
+has the right place in your policy and also is the trigger to initiate
+actions and rise the alarm? Of course, we are able to recognize DoS or
+something like that, but almost all incidents there are talking about
+simple, usual and not dangerous actions. Yes, you have to think about this
+kind of actions (I do not call it as attack) if your system is totally
+unprotected.
+Lets go to discuss a little bit about subject!
+My question is how the recognized simple scanning is described in your IT
+security policy and why scanning is so dangerous for you?
+
+Regards,
+Sarunas
+

Current thread:

DNS Probes, (continued)
- DNS Probes Damian Gerow (May 01)
- Re: Scanning. Is it dangerous? John D. Burkett (May 01)
  - Re: Scanning. Is it dangerous? Rune Kristian Viken (May 07)
- Re: Scanning. Is it dangerous? Ryan Russell (May 01)
  - Re: Scanning. Is it dangerous? jms (May 02)
    - Re: Scanning. Is it dangerous? Jose Nazario (May 03)
  - Scanning. Is it a consumer right? ethan preston (May 02)
- Re: Scanning. Is it dangerous? Russell Fulton (May 01)
- Re: Scanning. Is it dangerous? -reply Joseph, Lorne (May 01)
- Re: Scanning. Is it dangerous? Don Tansey (May 01)
- Re: Scanning. Is it dangerous? Igor Gashinsky (May 02)