This discussion devides into two parts: Code Green type active scanners and CRClean type passive/response. Most of the "not on my box" group presume that all are bad. I agree that the active approach was not thought out. The author might have been better served to float the idea here before releasing the beta (he would have found out that CRClean was about to come out). Any ACTIVE scan IS an attack. But those of you who apply this to all responses must remember that in CRClean type response, YOUR BOX must be attacking me FIRST! Your rights have just gone out the window. Period. If you are such a good admin, you should already have caught the traffic and shut the dog down. Period. Especially true after EVERYONE in the security world knows there is a major problem. If your company has such lax control of it's boxes that they can attack me, then you need to have someone else come in and provide a serious security audit and policy upgrade. Stan got the point backwards, the mass of users who have no clue and no corporate admins to "guide" them are the victims of your hands off policy. Maybe none of you moonlight on boxes outside of your corporate worlds, but I do and the desire for an automatic fix is immense. Would I want someone ACTIVELY doing my personal network? No. But if I'm infected and someone responds to my attack by trying to fix it without hiding it, I welcome the help. Remember, the infection has to have already gotten past my defenses and I have somehow missed it. The person is at least trying to do me a favor. For those people who have no firewalls and think snort is something an animal does, a peer reviewed passive is the right answer. IMHO. T. Patrick O'Hara (contractor, client not disclosed per client's NDE)
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 15:16:25 PDT