Sergey,
I do not believe there is any effective way to tune the tcp port scan
sig in SP. Due to the limited information that SP often provides (one
my own pet peeves) it can take some work to figure out which is a real
port scan. A few pointers:
1) If you see something this "80|135|139|445|1025|2745|3127|6129"
in the port column (in Event Analysis Details view), it is likely a
port scan. I'm sure there are many theories to explain why a series of
packets will arrive at our DMZ on those specific ports from address
space at a web-hosting company, but I think it's a port scan from an
0wn3d box.
2) If you see something like this "59097|59181|59192|59203" in the port
column, and the source IP address is one of your public web servers,
you can be sure it is HTTP return traffic. Note the port
increments....click link (HTTP GET), scan page for desired info,click
link (HTTP GET), scan page for desired info,click link(HTTP GET)......
3) If you see something similar to #2, with a destination address of a
host inside your network (by this I mean a user workstation), it is
also likely to be mundane return traffic. You should confirm with spot
checks on source IP addresses. You'll probably find your users are
enjoying the typical mix of Internet experiences. With HTTP you'll
find similar port patterns in the port column.
4) Finally, when in doubt, tcpdump.
This certainly doesn't cover all cases, but the most common ones I see
on a daily basis.
Regards,
Jason Baeder
--- "Soldatov, Sergey V." <SVSoldatov@tnk-bp.com> wrote:
Hi list!
In my SP console I see a lot of TCP_Port_Scan events for Internet IPs
to
my local IPs. I suppose that this are false positives because of
HTTP
replies from visited Web-sites, but unfortunately I can't figure out
if
it's so, because SP (and it's strange) does not show attacker's
source
port in event details... Does anybody can recommend something to help
me
investigate these TCP_Port_Scan events.
May be someone have experience in tuning TCP_Port_Scan event?
Any feedback will be welcome.
Thanks!
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 495 745 89 50
tel +7 495 777 77 07 (1613)
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
