Hi Everibody:
I had seen in many firewall a detection of a TCP Fin scan (ISA Server,
Sonicwall and Gauntlet) coming of a specific DNS or Web server. In the log
always you can see something like this:
03/17/2001 20:17:53.592 - Possible Port Scan - Source:192.168.1.2, 53, WAN
- Destination:10.1.1.98, 13478, LAN -
03/17/2001 22:15:34.367 - Possible Port Scan - Source:192.168.1.2, 53, WAN
- Destination:10.1.1.98, 4978, LAN -
(The IP's are not the true IP's)
If you see, always the source port is 53, i.e. DNS. I think this could be
a answer for a valid request from the target of the "port scan", but the
firewall misunderstand like a true port scan (or this is the feeeling of
the administrator of the machine)
What are your opinions?? Does anybody had seen this??
Thanks in advance
Regards from Chile
Fredy R. Santana V.
Ingeniero Civil Eléctrico - CCSA
Orion 2000 - Servicios Profesionales en Seguridad Informática
La Concepcion 322 piso 12, Providencia.
Santiago, Chile
Fono: 56-2-6403944, Fax: 56-2-6403990
e-mail: [EMAIL PROTECTED]
http://www.orion.cl
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
