Re: [ISSForum] [[SPAM]] Re: TCP_Port_Scan

Me to, just in case ISS would like to do a count.
I have most of it down to return traffic, but honestly I find the signature
so flawed that it is hard to
take it serious.

I recall from old times (WGM) that you could adjust:
        
        - number of ports
        - timeframe the above number of parts are scanned

F.x. 10 ports across 15 seconds. I don't recall where I read this, but no
matter what this is of limited use, because the return traffic (the
click-click-click) example could be quite fast and trigger this event as it
does.
If you where to enlarge the frame of it say 60 ports in 300 seconds (since I
would slower my port scan to avoid standard IDS tuning/sigs) then it would
most likely get worse and potentially slow down the sensor.

/Morten


-----Original Message-----
From: CAUSEY, David [mailto:davidc@lmi.org] 
Sent: Friday 13 January 2006 22:31
To: Jason Baeder; Soldatov, Sergey V.; issforum@iss.net
Subject: Re: [ISSForum] [[SPAM]] Re: TCP_Port_Scan

I haven't piped up about it but I have the same problem. Lots of false
positives and very difficult to tell what the heck the traffic was supposed
to be doing.


David

-----Original Message-----
From: issforum-bounces@iss.net [mailto:issforum-bounces@iss.net] On Behalf
Of Jason Baeder
Sent: Friday, January 13, 2006 10:59 AM
To: Soldatov, Sergey V.; issforum@iss.net
Subject: [ISSForum] [[SPAM]] Re: TCP_Port_Scan

Sergey,

I do not believe there is any effective way to tune the tcp port scan sig in
SP.  Due to the limited information that SP often provides (one my own pet
peeves) it can take some work to figure out which is a real port scan. A few
pointers:

1) If you see something this "80|135|139|445|1025|2745|3127|6129" 
in the port column (in Event Analysis Details view), it is likely a port
scan.  I'm sure there are many theories to explain why a series of packets
will arrive at our DMZ on those specific ports from address space at a
web-hosting company, but I think it's a port scan from an 0wn3d box.

2) If you see something like this "59097|59181|59192|59203" in the port
column, and the source IP address is one of your public web servers, you can
be sure it is HTTP return traffic.  Note the port increments....click link
(HTTP GET), scan page for desired info,click link (HTTP GET), scan page for
desired info,click link(HTTP GET)...... 

3) If you see something similar to #2, with a destination address of a host
inside your network (by this I mean a user workstation), it is also likely
to be mundane return traffic.  You should confirm with spot checks on source
IP addresses.  You'll probably find your users are enjoying the typical mix
of Internet experiences.  With HTTP you'll find similar port patterns in the
port column.

4) Finally, when in doubt, tcpdump.

This certainly doesn't cover all cases, but the most common ones I see on a
daily basis.

Regards,
Jason Baeder


--- "Soldatov, Sergey V." <SVSoldatov@tnk-bp.com> wrote:

> Hi list!
> In my SP console I see a lot of TCP_Port_Scan events for Internet IPs 
> to my local IPs. I suppose that this are  false positives because of 
> HTTP replies from visited Web-sites, but unfortunately I can't figure 
> out if it's so, because SP (and it's strange) does not show attacker's 
> source port in event details... Does anybody can recommend something 
> to help me investigate these TCP_Port_Scan events.
>
> May be someone have experience in tuning TCP_Port_Scan event?
>
> Any feedback will be welcome.
>
> Thanks!
>
> ---
> Best regards, Sergey V. Soldatov.
> Information security department.
> tel/fax +7 495 745 89 50
> tel +7 495 777 77 07 (1613)
>
>
> _______________________________________________
> ISSForum mailing list
> ISSForum@iss.net
>
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
> https://atla-mm1.iss.net/mailman/listinfo/issforum
>
> To contact the ISSForum Moderator, send email to mod-issforum@iss.net
>
> The ISSForum mailing list is hosted and managed by Internet Security 
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.