If it's really so, how do you suggest to investigate if it's so or not?? I see only TCP_Port_Scans from A (in Internet) to B (in LAN), no P2P_Activity, no *_Probe_* I have all Probes switched on, and I know that if packet comes to closed port Probe should be triggered... I think it's not P2P. Any another ideas?
--- Best regards, Sergey V. Soldatov. Information security department. tel/fax +7 495 745 89 50 tel +7 495 777 77 07 (1613) > -----Original Message----- > From: Palmer, Paul (ISSAtlanta) [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 17, 2006 10:04 PM > To: Soldatov, Sergey V.; [EMAIL PROTECTED] > Subject: RE: [ISSForum] TCP_Port_Scan > > Sergey, > > A data packet on an established connection would not > contribute to the TCP_Port_Scan signature. > > We have seen a large increase in the number of TCP_Port_Scan > signatures triggered on customer networks over the last year > or so. Based upon my experience, the most likely explanation > for these events is Peer to Peer traffic. Some Peer to Peer > protocols will result in establishing a large number of out > of band callback ports for data transfer. If these are > blocked at the firewall or if the client goes offline it can > result in a large number of failed connection attempts. These > failed attempts, in turn, contribute to the port scan events > as the closed ports often remain registered on the peer to > peer network for some time. > > Paul > > -----Original Message----- > From: [EMAIL PROTECTED] On Behalf Of > Soldatov, Sergey V. > Sent: Friday, January 13, 2006 7:29 AM > To: [EMAIL PROTECTED] > Subject: [ISSForum] TCP_Port_Scan > > > Hi list! > In my SP console I see a lot of TCP_Port_Scan events for > Internet IPs to my local IPs. I suppose that this are false > positives because of HTTP replies from visited Web-sites, but > unfortunately I can't figure out if it's so, because SP (and > it's strange) does not show attacker's source port in event > details... Does anybody can recommend something to help me > investigate these TCP_Port_Scan events. > > May be someone have experience in tuning TCP_Port_Scan event? > > Any feedback will be welcome. > > Thanks! > > --- > Best regards, Sergey V. Soldatov. > Information security department. > tel/fax +7 495 745 89 50 > tel +7 495 777 77 07 (1613) > > > _______________________________________________ > ISSForum mailing list > [email protected] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet Security > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
