Me too see the same event from our web servers to public network, and as we know most of the traffic to these web servers is HTTPS based, is it due to these encrypted traffic.
Ismail RB On 1/18/06, Soldatov, Sergey V. <[EMAIL PROTECTED]> wrote: > If it's really so, how do you suggest to investigate if it's so or not?? > I see only TCP_Port_Scans from A (in Internet) to B (in LAN), no > P2P_Activity, no *_Probe_* > I have all Probes switched on, and I know that if packet comes to closed > port Probe should be triggered... > I think it's not P2P. Any another ideas? > > --- > Best regards, Sergey V. Soldatov. > Information security department. > tel/fax +7 495 745 89 50 > tel +7 495 777 77 07 (1613) > > > -----Original Message----- > > From: Palmer, Paul (ISSAtlanta) [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, January 17, 2006 10:04 PM > > To: Soldatov, Sergey V.; [EMAIL PROTECTED] > > Subject: RE: [ISSForum] TCP_Port_Scan > > > > Sergey, > > > > A data packet on an established connection would not > > contribute to the TCP_Port_Scan signature. > > > > We have seen a large increase in the number of TCP_Port_Scan > > signatures triggered on customer networks over the last year > > or so. Based upon my experience, the most likely explanation > > for these events is Peer to Peer traffic. Some Peer to Peer > > protocols will result in establishing a large number of out > > of band callback ports for data transfer. If these are > > blocked at the firewall or if the client goes offline it can > > result in a large number of failed connection attempts. These > > failed attempts, in turn, contribute to the port scan events > > as the closed ports often remain registered on the peer to > > peer network for some time. > > > > Paul > > > > -----Original Message----- > > From: [EMAIL PROTECTED] On Behalf Of > > Soldatov, Sergey V. > > Sent: Friday, January 13, 2006 7:29 AM > > To: [EMAIL PROTECTED] > > Subject: [ISSForum] TCP_Port_Scan > > > > > > Hi list! > > In my SP console I see a lot of TCP_Port_Scan events for > > Internet IPs to my local IPs. I suppose that this are false > > positives because of HTTP replies from visited Web-sites, but > > unfortunately I can't figure out if it's so, because SP (and > > it's strange) does not show attacker's source port in event > > details... Does anybody can recommend something to help me > > investigate these TCP_Port_Scan events. > > > > May be someone have experience in tuning TCP_Port_Scan event? > > > > Any feedback will be welcome. > > > > Thanks! > > > > --- > > Best regards, Sergey V. Soldatov. > > Information security department. > > tel/fax +7 495 745 89 50 > > tel +7 495 777 77 07 (1613) > > > > > > _______________________________________________ > > ISSForum mailing list > > [email protected] > > > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > > https://atla-mm1.iss.net/mailman/listinfo/issforum > > > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > > > The ISSForum mailing list is hosted and managed by Internet Security > > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > > > > > _______________________________________________ > ISSForum mailing list > [email protected] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet Security Systems, > 6303 Barfield Road, Atlanta, Georgia, USA 30328. > _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
