|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Getting port scans while I would think that the system that i s sc anned is not reachable because of my pf rules
From: knitti (knitti
gmail.com)
Date: Mon Feb 07 2005 - 09:25:58 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 7 Feb 2005 14:31:18 +0100, forums <forumvanleeuwen.nl> wrote:
> It tells me so, in the log of that system (ISA2004). for example :
>
> ISA Server detected an all port scan attack from Internet Protocol (IP)
> address 12.130.12.31
> ISA Server detected an all port scan attack from Internet Protocol (IP)
> address 64.14.128.201
> ISA Server detected an all port scan attack from Internet Protocol (IP)
> address 213.239.154.35.
> etc...
I don't know how frequent you get these, but a starting point would
definately be looking with tcpdump a the connection between your
front fw and your back fw. find out which traffic caused these, and
compare with your rules.
If you got the traffic, and don't know what to make of it, it will be far
easier for people on the list to tell what could be wrong, as just
saying "someone told me my firewall is leaking"
--knitti
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]