|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [ISSForum] TCP_Port_Scan
From: Soldatov, Sergey V. (SVSoldatov
tnk-bp.com)
Date: Wed Jan 18 2006 - 00:01:34 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
If it's really so, how do you suggest to investigate if it's so or not??
I see only TCP_Port_Scans from A (in Internet) to B (in LAN), no
P2P_Activity, no *_Probe_*
I have all Probes switched on, and I know that if packet comes to closed
port Probe should be triggered...
I think it's not P2P. Any another ideas?
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 495 745 89 50
tel +7 495 777 77 07 (1613)
> -----Original Message-----
> From: Palmer, Paul (ISSAtlanta) [mailto:PPalmeriss.net]
> Sent: Tuesday, January 17, 2006 10:04 PM
> To: Soldatov, Sergey V.; issforumatla-mm1.iss.net
> Subject: RE: [ISSForum] TCP_Port_Scan
>
> Sergey,
>
> A data packet on an established connection would not
> contribute to the TCP_Port_Scan signature.
>
> We have seen a large increase in the number of TCP_Port_Scan
> signatures triggered on customer networks over the last year
> or so. Based upon my experience, the most likely explanation
> for these events is Peer to Peer traffic. Some Peer to Peer
> protocols will result in establishing a large number of out
> of band callback ports for data transfer. If these are
> blocked at the firewall or if the client goes offline it can
> result in a large number of failed connection attempts. These
> failed attempts, in turn, contribute to the port scan events
> as the closed ports often remain registered on the peer to
> peer network for some time.
>
> Paul
>
> -----Original Message-----
> From: issforum-bouncesatla-mm1.iss.net On Behalf Of
> Soldatov, Sergey V.
> Sent: Friday, January 13, 2006 7:29 AM
> To: issforumatla-mm1.iss.net
> Subject: [ISSForum] TCP_Port_Scan
>
>
> Hi list!
> In my SP console I see a lot of TCP_Port_Scan events for
> Internet IPs to my local IPs. I suppose that this are false
> positives because of HTTP replies from visited Web-sites, but
> unfortunately I can't figure out if it's so, because SP (and
> it's strange) does not show attacker's source port in event
> details... Does anybody can recommend something to help me
> investigate these TCP_Port_Scan events.
>
> May be someone have experience in tuning TCP_Port_Scan event?
>
> Any feedback will be welcome.
>
> Thanks!
>
> ---
> Best regards, Sergey V. Soldatov.
> Information security department.
> tel/fax +7 495 745 89 50
> tel +7 495 777 77 07 (1613)
>
>
> _______________________________________________
> ISSForum mailing list
> ISSForumiss.net
>
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> https://atla-mm1.iss.net/mailman/listinfo/issforum
>
> To contact the ISSForum Moderator, send email to mod-issforumiss.net
>
> The ISSForum mailing list is hosted and managed by Internet Security
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
>
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforumiss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]