> > I'm really kind of suprised that a CISSP is taking > > this approach to such a problem. > > Why? what is wrong in asking the community when one > has done all the > research he was able to do? Isn't it what this list > is for? And how do you > know why he is asking - maybe his security policy > asks him to investigate this specific case? Unfortunately, you've missed the point as well. Of course, there is nothing wrong w/ "asking the community". However, for a CISSP who works for FedCERT to ask the question that Ken did is ludicrous. > > packets headed for this port. Fine. *How* did > they > > find them? Were they dropped by a firewall? If > > so...so what? Better to spend the time on things > that > > matter than chasing after shiny objects. > > Again, I prefer not to teach a person to do his job > unless I am asked for this :) Okay, that's your stance. However, there are cases in which people need to be taught how to do their jobs. > Maybe this system is so crytical that it is needed > to investigate a > slightest possibility of compromise/unknown exploit? Okay, so you choose to make an entirely different set of assumptions with regard to this issue. That's fine. I happen to see it differently...a couple of datagrams were presumably dropped at the firewall, and no data from those datagrams was collected. All we know is the destination port. Looking for what *should* be on that port, based on port listings, has long been shown to be a waste of time as far as finding an answer is concerned. > And what is wrong with pure curiosity? :) Nothing at all. > > Were they logged by an IDS? If so, what data is > > carried in the datagram? > > He said it was a scan, so presumably the data > portion was empty. That's your assumption. I didn't make that assumption...I asked for clarification. > If they find nothing, this still will not answer the > question on what the scanning person was looking for. Maybe. But if something *is* found, then it would answer the question. Also, regards to the scan...if the datagrams were dropped, and the scan had no other effect than to add a couple of lines to the log files...who cares? A CISSP should know that in the big scheme of things, and as far as day-to-day security operations are concerned, such an event is irrelevant. A CISSP should also know not to waste a customer's time (and money) pursuing such things, particularly when there are other, more important things to be handled and investigated. > P.S. Yes, I'm a CISSP too :) Goody for you! My CISSP served it's purpose...it got me past the headhunters and HR folks so I could actually get an interview...so I let it expire. I really didn't get any other value from it...it wasn't worth the annual subscription fee. __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 23 2002 - 12:23:27 PDT