Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ISSForum] TCP_Port_Scan

from [Palmer, Paul \(ISSAtlanta\)] Network Security [Permanent Link]
Subject: Re: [ISSForum] TCP_Port_Scan
Date: Tue, 17 Jan 2006 14:18:53 -0500 
Sergey,

TCP_Port_Scan doesn't just represent traffic from one connection
attempt. It consolidates information from many connection attempts. The
sensor does not remember all of the source ports involved in the
TCP_Port_Scan. Therefore, it cannot report them.

Paul

-----Original Message-----
From: issforum-bounces@atla-mm1.iss.net On Behalf Of Soldatov, Sergey V.
Sent: Tuesday, January 17, 2006 4:52 AM
To: Jason Baeder; issforum@atla-mm1.iss.net
Subject: Re: [ISSForum] TCP_Port_Scan


We can filter TCP_Port_Scan false positives by Event Filter: i.e. filter
all TCP_Port_Scan from port 80 from Internet (be sure that this traffic
is closed on firewall) or from known web sites. But ISS does not show
source port, does anybody know why?

I tried to filter all TCP_Port_Scans from 80, but seems this does not
work :-( Any ideas?

Thanks
---
Best regards, Sergey V. Soldatov.
Information security department.



-----Original Message-----
From: Jason Baeder [mailto:jason_baeder@yahoo.com]
Sent: Friday, January 13, 2006 6:59 PM
To: Soldatov, Sergey V.; issforum@iss.net
Subject: Re: [ISSForum] TCP_Port_Scan

Sergey,

I do not believe there is any effective way to tune the tcp
port scan sig in SP.  Due to the limited information that SP 
often provides (one my own pet peeves) it can take some work 
to figure out which is a real port scan. A few pointers:

1) If you see something this "80|135|139|445|1025|2745|3127|6129"
in the port column (in Event Analysis Details view), it is 
likely a port scan.  I'm sure there are many theories to 
explain why a series of packets will arrive at our DMZ on 
those specific ports from address space at a web-hosting 
company, but I think it's a port scan from an 0wn3d box.

2) If you see something like this "59097|59181|59192|59203"
in the port column, and the source IP address is one of your 
public web servers, you can be sure it is HTTP return 
traffic.  Note the port increments....click link (HTTP GET), 
scan page for desired info,click link (HTTP GET), scan page 
for desired info,click link(HTTP GET)...... 

3) If you see something similar to #2, with a destination
address of a host inside your network (by this I mean a user 
workstation), it is also likely to be mundane return traffic. 
 You should confirm with spot checks on source IP addresses.  
You'll probably find your users are enjoying the typical mix 
of Internet experiences.  With HTTP you'll find similar port 
patterns in the port column.

4) Finally, when in doubt, tcpdump.

This certainly doesn't cover all cases, but the most common
ones I see on a daily basis.

Regards,
Jason Baeder


--- "Soldatov, Sergey V." <SVSoldatov@tnk-bp.com> wrote:


Hi list!
In my SP console I see a lot of TCP_Port_Scan events for

Internet IPs

to my local IPs. I suppose that this are  false positives

because of

HTTP replies from visited Web-sites, but unfortunately I

can't figure

out if it's so, because SP (and it's strange) does not show

attacker's

source port in event details... Does anybody can recommend

something

to help me investigate these TCP_Port_Scan events.

May be someone have experience in tuning TCP_Port_Scan event?

Any feedback will be welcome.

Thanks!

---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 495 745 89 50
tel +7 495 777 77 07 (1613)


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to

mod-issforum@iss.net


The ISSForum mailing list is hosted and managed by Internet

Security

Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection
around http://mail.yahoo.com 




_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ISSForum] DB_XPU_1_86_X_20060112.xpu failed to install, Hertzog, Albert
Next by Date:  Re: [ISSForum] Inspect web mail, Palmer, Paul \(ISSAtlanta\)
Previous by Thread:  Re: [ISSForum] TCP_Port_Scan, Palmer, Paul \(ISSAtlanta\)
Next by Thread:  Re: [ISSForum] TCP_Port_Scan, Soldatov, Sergey V.
Indexes:  [Date] [Thread] [Top] [All Lists]