Firewall detected intrusion – somebody is scanning one of your computers to seek attack vectors. How would you write a incident response plan, ie there are looking for open ports
Maybe more to the point, WHY would you write an incident response plan for something like that?
I guess the big question is…are they getting through and finding anything?
I know that folks don't think very highly of things like PCI DSS and other compliance standards, but the fact is that these standards try to begin the process of developing a security-conscious culture where none existed previously. Part of these standards include regular, repeated scans…so if someone is scanning your firewall from the outside, why not scan your infrastructure from *inside* the firewall?
Preach it brother! Preach it!
… We get 20 or 30 scans simultaneously, 24/7 on our infrastructure.
Once, in a galaxy far, far away, I worked with a customer for whom we installed two RealSecure sensors. Even though he'd already agreed to the locations of the sensors, once the engineers were on-site, he had them install one of the *outside* of the firewall. We called and asked, "are you sure that you want to be called at 2am when you get a SubSeven scan on the outside of your firewall??" He said, "yes". Our engineers quit rather than carry the pager.
It is normal to get number of scans at one time, so doing the report would mean nothing.
Unless you are trying to make a case that these scans has cost your company more than $5000 USD and for that reason you can take the person who is scanning your network to court in the US.
Port scanning is not illegal in itself in most countries (as far as I am aware of).
Also if you have open ports that are not needed then close them and if you have old services running on them update/patch them. You should have nothing to worry about.