Hi, I wouldn't recommend writing a script to 'automatically scan them back', for several reasons. The most obvious reason is that some scans are simply spoofed. If a script 'automatically scanned them back', it would be quite easy to get the script to scan innocent sites.
Naturally there are several other moral and legal reasons for not writing such a script, but I believe they are off topic for this thread. With regards to the original question - I agree that there is no need to take further action. Provided the firewall logs are showing that the packets are dropped and the application server logs also appear normal, nothing further needs to be done. Reporting of incidents can take quite a lot of effort. If one believes that an incident is serious enough or warrants reporting, by all means do so. Kind regards, Byrne Ghavalas ----- Original Message ----- From: "Chris Berry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 09, 2002 9:25 PM Subject: Re: Incident Response > >From: H C <[EMAIL PROTECTED]> > > > My general question is just when do I need to do > > > something other than just check my firewall logs for > > > the source address and verify they weren't successful in > > > gaining access anywhere vs. actually reporting an > > > incident. > > > >Why do anything? The general sense is that the return > >doesn't really justify the time required to report > >such things. So, if the scans are unsuccessful, why > >bother with them at all? Seems like a colossal waste > >of time... > > You could write a script to automatically scan them back, if they know > you're watching they'll probably be less interested in messing with you. > > Chris Berry > [EMAIL PROTECTED] > Systems Administrator > JM Associates > > "Live dangerously, overclock your servers." > > > > > > > > _________________________________________________________________ > Tired of spam? Get advanced junk mail protection with MSN 8. > http://join.msn.com/?page=features/junkmail > >
