[Intrusions] [LOGS] Summary of large-scale portscanning detects
Kyle Maxwell
krmaxwell at gmail.com
Mon Aug 16 18:32:54 GMT 2004
On Mon, 16 Aug 2004 09:14:11 -0700 (PDT), Merton Campbell Crockett
<mcc at cato.gd-ais.com> wrote:
> My apologies to the list but I don't understand the significance of this
> summary. It's normal to have systems sweeping through your address space
> turning the door handle to see if its unlocked.
>
> The first block in Sunday's report is, perhaps, the only thing of interest
> in the report. Unfortunately, the report format doesn't allow us to see
> a complete set of probes targeted at an individual system.
I think you may be potentially missing the points. Port scans are
normal in the sense that we know they happen. But knowing *what* is
being scanned for is useful intelligence, as is any information about
interesting scan patterns (such as the one you mention above). This
lets people receiving the information make more informed correlations
-- is this traffic pattern common to the Internet right now or is it
more likely I'm being targeted? The usefulness is similar to the
Internet Storm Center and Dshield, allowing people to get a broader
view on what specifically is going on across the net.
--
Kyle Maxwell
krmaxwell at gmail.com
More information about the Intrusions
mailing list