I haven't piped up about it but I have the same problem. Lots of false positives and very difficult to tell what the heck the traffic was supposed to be doing.
David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Baeder Sent: Friday, January 13, 2006 10:59 AM To: Soldatov, Sergey V.; [email protected] Subject: [ISSForum] [[SPAM]] Re: TCP_Port_Scan Sergey, I do not believe there is any effective way to tune the tcp port scan sig in SP. Due to the limited information that SP often provides (one my own pet peeves) it can take some work to figure out which is a real port scan. A few pointers: 1) If you see something this "80|135|139|445|1025|2745|3127|6129" in the port column (in Event Analysis Details view), it is likely a port scan. I'm sure there are many theories to explain why a series of packets will arrive at our DMZ on those specific ports from address space at a web-hosting company, but I think it's a port scan from an 0wn3d box. 2) If you see something like this "59097|59181|59192|59203" in the port column, and the source IP address is one of your public web servers, you can be sure it is HTTP return traffic. Note the port increments....click link (HTTP GET), scan page for desired info,click link (HTTP GET), scan page for desired info,click link(HTTP GET)...... 3) If you see something similar to #2, with a destination address of a host inside your network (by this I mean a user workstation), it is also likely to be mundane return traffic. You should confirm with spot checks on source IP addresses. You'll probably find your users are enjoying the typical mix of Internet experiences. With HTTP you'll find similar port patterns in the port column. 4) Finally, when in doubt, tcpdump. This certainly doesn't cover all cases, but the most common ones I see on a daily basis. Regards, Jason Baeder --- "Soldatov, Sergey V." <[EMAIL PROTECTED]> wrote: > Hi list! > In my SP console I see a lot of TCP_Port_Scan events for Internet IPs > to > my local IPs. I suppose that this are false positives because of > HTTP > replies from visited Web-sites, but unfortunately I can't figure out > if > it's so, because SP (and it's strange) does not show attacker's > source > port in event details... Does anybody can recommend something to help > me > investigate these TCP_Port_Scan events. > > May be someone have experience in tuning TCP_Port_Scan event? > > Any feedback will be welcome. > > Thanks! > > --- > Best regards, Sergey V. Soldatov. > Information security department. > tel/fax +7 495 745 89 50 > tel +7 495 777 77 07 (1613) > > > _______________________________________________ > ISSForum mailing list > [email protected] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet Security > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
