[Snort-users] new ports in portscans and scans in general

robin stubbs mstubbs at ...842...
Mon Jan 8 12:59:35 EST 2001


Every once in a while a new port shows up being scanned on our network.
Is this something that anyone anywhere needs to know about? (TCP 9704
this
time). I'm thinking, maybe the list doesn't want me to send email every
time
I see a port scan I can't identify. There's a lot of ports... :-)
 
The thrill of tracking down someone responsible for a particular IP
number and reporting it has definitely worn off for me. Over the weekend
we were scanned by 10 different IP numbers. I don't have time to report
these manually and I don't
know but what someone else already did anyway. How do other highly
targeted 
entities deal with this type of thing? Does your institution take on
this
job or is it every admin on their own? (The word security does not
appear in
my job description!) On the other hand, once I ran a machine that was
compromised
and I very greatly appreciated the fact that someone managed to send me
email
alerting me of this fact. 

Just out of curiousity, I'm wondering how much spread do these scans
have?
That would impact of the utility of reporting one. ie if the average 
compromised machine scanned every live IP number on the internet, then
there would be a high likelihood they scanned the fbi for example, and
maybe the owners would hear about it. On the other hand, if it scanned
only a few class C subnets per day then it would probably be more
important that the scannees report it. I'm
imagining that these programs/people are restricting the amount of
scanning
they do to evade detection, or am I wrong?




More information about the Snort-users mailing list