Sergey, TCP_Port_Scan doesn't just represent traffic from one connection attempt. It consolidates information from many connection attempts. The sensor does not remember all of the source ports involved in the TCP_Port_Scan. Therefore, it cannot report them.
Paul -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Soldatov, Sergey V. Sent: Tuesday, January 17, 2006 4:52 AM To: Jason Baeder; [EMAIL PROTECTED] Subject: Re: [ISSForum] TCP_Port_Scan We can filter TCP_Port_Scan false positives by Event Filter: i.e. filter all TCP_Port_Scan from port 80 from Internet (be sure that this traffic is closed on firewall) or from known web sites. But ISS does not show source port, does anybody know why? I tried to filter all TCP_Port_Scans from 80, but seems this does not work :-( Any ideas? Thanks --- Best regards, Sergey V. Soldatov. Information security department. > -----Original Message----- > From: Jason Baeder [mailto:[EMAIL PROTECTED] > Sent: Friday, January 13, 2006 6:59 PM > To: Soldatov, Sergey V.; [email protected] > Subject: Re: [ISSForum] TCP_Port_Scan > > Sergey, > > I do not believe there is any effective way to tune the tcp > port scan sig in SP. Due to the limited information that SP > often provides (one my own pet peeves) it can take some work > to figure out which is a real port scan. A few pointers: > > 1) If you see something this "80|135|139|445|1025|2745|3127|6129" > in the port column (in Event Analysis Details view), it is > likely a port scan. I'm sure there are many theories to > explain why a series of packets will arrive at our DMZ on > those specific ports from address space at a web-hosting > company, but I think it's a port scan from an 0wn3d box. > > 2) If you see something like this "59097|59181|59192|59203" > in the port column, and the source IP address is one of your > public web servers, you can be sure it is HTTP return > traffic. Note the port increments....click link (HTTP GET), > scan page for desired info,click link (HTTP GET), scan page > for desired info,click link(HTTP GET)...... > > 3) If you see something similar to #2, with a destination > address of a host inside your network (by this I mean a user > workstation), it is also likely to be mundane return traffic. > You should confirm with spot checks on source IP addresses. > You'll probably find your users are enjoying the typical mix > of Internet experiences. With HTTP you'll find similar port > patterns in the port column. > > 4) Finally, when in doubt, tcpdump. > > This certainly doesn't cover all cases, but the most common > ones I see on a daily basis. > > Regards, > Jason Baeder > > > --- "Soldatov, Sergey V." <[EMAIL PROTECTED]> wrote: > > > Hi list! > > In my SP console I see a lot of TCP_Port_Scan events for > Internet IPs > > to my local IPs. I suppose that this are false positives > because of > > HTTP replies from visited Web-sites, but unfortunately I > can't figure > > out if it's so, because SP (and it's strange) does not show > attacker's > > source port in event details... Does anybody can recommend > something > > to help me investigate these TCP_Port_Scan events. > > > > May be someone have experience in tuning TCP_Port_Scan event? > > > > Any feedback will be welcome. > > > > Thanks! > > > > --- > > Best regards, Sergey V. Soldatov. > > Information security department. > > tel/fax +7 495 745 89 50 > > tel +7 495 777 77 07 (1613) > > > > > > _______________________________________________ > > ISSForum mailing list > > [email protected] > > > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > > https://atla-mm1.iss.net/mailman/listinfo/issforum > > > > To contact the ISSForum Moderator, send email to > [EMAIL PROTECTED] > > > > The ISSForum mailing list is hosted and managed by Internet > Security > > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection > around http://mail.yahoo.com > _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
