Re: [ISSForum] TCP_Port_Scan

We can filter TCP_Port_Scan false positives by Event Filter: i.e. filter
all TCP_Port_Scan from port 80 from Internet (be sure that this traffic
is closed on firewall) or from known web sites. But ISS does not show
source port, does anybody know why?

I tried to filter all TCP_Port_Scans from 80, but seems this does not
work :-( Any ideas?

Thanks
---
Best regards, Sergey V. Soldatov.
Information security department.


> -----Original Message-----
> From: Jason Baeder [mailto:jason_baeder@yahoo.com] 
> Sent: Friday, January 13, 2006 6:59 PM
> To: Soldatov, Sergey V.; issforum@iss.net
> Subject: Re: [ISSForum] TCP_Port_Scan
>
> Sergey,
>
> I do not believe there is any effective way to tune the tcp 
> port scan sig in SP.  Due to the limited information that SP 
> often provides (one my own pet peeves) it can take some work 
> to figure out which is a real port scan. A few pointers:
>
> 1) If you see something this "80|135|139|445|1025|2745|3127|6129" 
> in the port column (in Event Analysis Details view), it is 
> likely a port scan.  I'm sure there are many theories to 
> explain why a series of packets will arrive at our DMZ on 
> those specific ports from address space at a web-hosting 
> company, but I think it's a port scan from an 0wn3d box.
>
> 2) If you see something like this "59097|59181|59192|59203" 
> in the port column, and the source IP address is one of your 
> public web servers, you can be sure it is HTTP return 
> traffic.  Note the port increments....click link (HTTP GET), 
> scan page for desired info,click link (HTTP GET), scan page 
> for desired info,click link(HTTP GET)...... 
>
> 3) If you see something similar to #2, with a destination 
> address of a host inside your network (by this I mean a user 
> workstation), it is also likely to be mundane return traffic. 
>  You should confirm with spot checks on source IP addresses.  
> You'll probably find your users are enjoying the typical mix 
> of Internet experiences.  With HTTP you'll find similar port 
> patterns in the port column.
>
> 4) Finally, when in doubt, tcpdump.
>
> This certainly doesn't cover all cases, but the most common 
> ones I see on a daily basis.
>
> Regards,
> Jason Baeder
>
>
> --- "Soldatov, Sergey V." <SVSoldatov@tnk-bp.com> wrote:
>
> > Hi list!
> > In my SP console I see a lot of TCP_Port_Scan events for 
> Internet IPs 
> > to my local IPs. I suppose that this are  false positives 
> because of 
> > HTTP replies from visited Web-sites, but unfortunately I 
> can't figure 
> > out if it's so, because SP (and it's strange) does not show 
> attacker's 
> > source port in event details... Does anybody can recommend 
> something 
> > to help me investigate these TCP_Port_Scan events.
> >
> > May be someone have experience in tuning TCP_Port_Scan event?
> >
> > Any feedback will be welcome.
> >
> > Thanks!
> >
> > ---
> > Best regards, Sergey V. Soldatov.
> > Information security department.
> > tel/fax +7 495 745 89 50
> > tel +7 495 777 77 07 (1613)
> >
> >
> > _______________________________________________
> > ISSForum mailing list
> > ISSForum@iss.net
> >
> > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
> > https://atla-mm1.iss.net/mailman/listinfo/issforum
> >
> > To contact the ISSForum Moderator, send email to 
> mod-issforum@iss.net
> > The ISSForum mailing list is hosted and managed by Internet 
> Security 
> > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection 
> around http://mail.yahoo.com 


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.