Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [ISSForum] TCP_Port_Scan
From: Soldatov, Sergey V. (SVSoldatovtnk-bp.com)
Date: Wed Jan 18 2006 - 00:01:34 CST
If it's really so, how do you suggest to investigate if it's so or not??
I see only TCP_Port_Scans from A (in Internet) to B (in LAN), no
P2P_Activity, no *_Probe_*
I have all Probes switched on, and I know that if packet comes to closed
port Probe should be triggered...
I think it's not P2P. Any another ideas?
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 495 745 89 50
tel +7 495 777 77 07 (1613)
> -----Original Message-----
> From: Palmer, Paul (ISSAtlanta) [mailto:PPalmeriss.net]
> Sent: Tuesday, January 17, 2006 10:04 PM
> To: Soldatov, Sergey V.; issforumatla-mm1.iss.net
> Subject: RE: [ISSForum] TCP_Port_Scan
> A data packet on an established connection would not
> contribute to the TCP_Port_Scan signature.
> We have seen a large increase in the number of TCP_Port_Scan
> signatures triggered on customer networks over the last year
> or so. Based upon my experience, the most likely explanation
> for these events is Peer to Peer traffic. Some Peer to Peer
> protocols will result in establishing a large number of out
> of band callback ports for data transfer. If these are
> blocked at the firewall or if the client goes offline it can
> result in a large number of failed connection attempts. These
> failed attempts, in turn, contribute to the port scan events
> as the closed ports often remain registered on the peer to
> peer network for some time.
> -----Original Message-----
> From: issforum-bouncesatla-mm1.iss.net On Behalf Of
> Soldatov, Sergey V.
> Sent: Friday, January 13, 2006 7:29 AM
> To: issforumatla-mm1.iss.net
> Subject: [ISSForum] TCP_Port_Scan
> Hi list!
> In my SP console I see a lot of TCP_Port_Scan events for
> Internet IPs to my local IPs. I suppose that this are false
> positives because of HTTP replies from visited Web-sites, but
> unfortunately I can't figure out if it's so, because SP (and
> it's strange) does not show attacker's source port in event
> details... Does anybody can recommend something to help me
> investigate these TCP_Port_Scan events.
> May be someone have experience in tuning TCP_Port_Scan event?
> Any feedback will be welcome.
> Best regards, Sergey V. Soldatov.
> Information security department.
> tel/fax +7 495 745 89 50
> tel +7 495 777 77 07 (1613)
> ISSForum mailing list
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> To contact the ISSForum Moderator, send email to mod-issforumiss.net
> The ISSForum mailing list is hosted and managed by Internet Security
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforumiss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.