If it's really so, how do you suggest to investigate if it's so or not??
I see only TCP_Port_Scans from A (in Internet) to B (in LAN), no
P2P_Activity, no *_Probe_*
I have all Probes switched on, and I know that if packet comes to closed
port Probe should be triggered...
I think it's not P2P. Any another ideas?
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 495 745 89 50
tel +7 495 777 77 07 (1613)
-----Original Message-----
From: Palmer, Paul (ISSAtlanta) [mailto:PPalmer@iss.net]
Sent: Tuesday, January 17, 2006 10:04 PM
To: Soldatov, Sergey V.; issforum@atla-mm1.iss.net
Subject: RE: [ISSForum] TCP_Port_Scan
Sergey,
A data packet on an established connection would not
contribute to the TCP_Port_Scan signature.
We have seen a large increase in the number of TCP_Port_Scan
signatures triggered on customer networks over the last year
or so. Based upon my experience, the most likely explanation
for these events is Peer to Peer traffic. Some Peer to Peer
protocols will result in establishing a large number of out
of band callback ports for data transfer. If these are
blocked at the firewall or if the client goes offline it can
result in a large number of failed connection attempts. These
failed attempts, in turn, contribute to the port scan events
as the closed ports often remain registered on the peer to
peer network for some time.
Paul
-----Original Message-----
From: issforum-bounces@atla-mm1.iss.net On Behalf Of
Soldatov, Sergey V.
Sent: Friday, January 13, 2006 7:29 AM
To: issforum@atla-mm1.iss.net
Subject: [ISSForum] TCP_Port_Scan
Hi list!
In my SP console I see a lot of TCP_Port_Scan events for
Internet IPs to my local IPs. I suppose that this are false
positives because of HTTP replies from visited Web-sites, but
unfortunately I can't figure out if it's so, because SP (and
it's strange) does not show attacker's source port in event
details... Does anybody can recommend something to help me
investigate these TCP_Port_Scan events.
May be someone have experience in tuning TCP_Port_Scan event?
Any feedback will be welcome.
Thanks!
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 495 745 89 50
tel +7 495 777 77 07 (1613)
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
