Re: [ISSForum] TCP_Port_Scan

Me too see the same event from our web servers to public network, and
as we know most of the traffic to these web servers is HTTPS based, is
it due to these encrypted traffic.

Ismail
RB

On 1/18/06, Soldatov, Sergey V. <SVSoldatov@tnk-bp.com> wrote:
> If it's really so, how do you suggest to investigate if it's so or not??
> I see only TCP_Port_Scans from A (in Internet) to B (in LAN), no
> P2P_Activity, no *_Probe_*
> I have all Probes switched on, and I know that if packet comes to closed
> port Probe should be triggered...
> I think it's not P2P. Any another ideas?
>
> ---
> Best regards, Sergey V. Soldatov.
> Information security department.
> tel/fax +7 495 745 89 50
> tel +7 495 777 77 07 (1613)
>
> > -----Original Message-----
> > From: Palmer, Paul (ISSAtlanta) [mailto:PPalmer@iss.net]
> > Sent: Tuesday, January 17, 2006 10:04 PM
> > To: Soldatov, Sergey V.; issforum@atla-mm1.iss.net
> > Subject: RE: [ISSForum] TCP_Port_Scan
> >
> > Sergey,
> >
> > A data packet on an established connection would not
> > contribute to the TCP_Port_Scan signature.
> >
> > We have seen a large increase in the number of TCP_Port_Scan
> > signatures triggered on customer networks over the last year
> > or so. Based upon my experience, the most likely explanation
> > for these events is Peer to Peer traffic. Some Peer to Peer
> > protocols will result in establishing a large number of out
> > of band callback ports for data transfer. If these are
> > blocked at the firewall or if the client goes offline it can
> > result in a large number of failed connection attempts. These
> > failed attempts, in turn, contribute to the port scan events
> > as the closed ports often remain registered on the peer to
> > peer network for some time.
> >
> > Paul
> >
> > -----Original Message-----
> > From: issforum-bounces@atla-mm1.iss.net On Behalf Of
> > Soldatov, Sergey V.
> > Sent: Friday, January 13, 2006 7:29 AM
> > To: issforum@atla-mm1.iss.net
> > Subject: [ISSForum] TCP_Port_Scan
> >
> >
> > Hi list!
> > In my SP console I see a lot of TCP_Port_Scan events for
> > Internet IPs to my local IPs. I suppose that this are  false
> > positives because of HTTP replies from visited Web-sites, but
> > unfortunately I can't figure out if it's so, because SP (and
> > it's strange) does not show attacker's source port in event
> > details... Does anybody can recommend something to help me
> > investigate these TCP_Port_Scan events.
> >
> > May be someone have experience in tuning TCP_Port_Scan event?
> >
> > Any feedback will be welcome.
> >
> > Thanks!
> >
> > ---
> > Best regards, Sergey V. Soldatov.
> > Information security department.
> > tel/fax +7 495 745 89 50
> > tel +7 495 777 77 07 (1613)
> >
> >
> > _______________________________________________
> > ISSForum mailing list
> > ISSForum@iss.net
> >
> > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> > https://atla-mm1.iss.net/mailman/listinfo/issforum
> >
> > To contact the ISSForum Moderator, send email to mod-issforum@iss.net
> >
> > The ISSForum mailing list is hosted and managed by Internet Security
> > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
>
>
> _______________________________________________
> ISSForum mailing list
> ISSForum@iss.net
>
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
> https://atla-mm1.iss.net/mailman/listinfo/issforum
>
> To contact the ISSForum Moderator, send email to mod-issforum@iss.net
>
> The ISSForum mailing list is hosted and managed by Internet Security Systems, 
> 6303 Barfield Road, Atlanta, Georgia, USA 30328.


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.