OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: can/should
From: Sean Ellis (sellisintergate.bc.ca)
Date: Wed May 24 2000 - 16:48:06 CDT


At 06:34 AM 5/24/00 -0400, you wrote:
>
>Many sites send a relatively curteous mail to the site or isp that
>summarizes that logs and states that you detected a portscan and consider
>this bad behavior, and would like the site to check to ensure that they have

Monitoring network traffic is not part of my job, so perhaps I'm slightly
'out of the loop' on this, but can it really be practical to be responding to
portscans in this way? Surely that would have to generate one humungous amount
of email.

If I see something interesting on a site, streaming video, whatever, I may do
a scan to see what kind of technology they're running, if I expect to be
dealing with
someone and they're online, I may give them a scan, integrate what I see
there into the picture of them I'm trying to formulate. I don't think I'm
alone in this; there must be a lot of similar activity.

>My questions is what else
>can/should be done. I have no other reason to believe they got through
>or committed any crime. What else are you guys doing? I hope this is
>not to far off topic.

I don't think responding to port scans, unless they're persistent and
threatening in some distinct way, is a good use of your time. IMHO.

Sean

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-helpinsecure.org . List run by ezmlm-idx (www.ezmlm.org).