8signs port scan

Discussion in 'other firewalls' started by ISSnewb3, Jan 29, 2006.

Thread Status:
Not open for further replies.
  1. ISSnewb3

    ISSnewb3 Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    4
    I just installed 8signs trial due to reading from other posters' comments about 8signs.

    2006/01/29, 10:31:49.851, GMT -0600, 2118, Port scan: src=X, dst=Y, TTL=128, ports: 33046, 33407, 33790


    That is what I got in my 8signs firewall log. X is my IP address. I thought src should be Y where the scanner is and dst should be my Ip address.

    any inputs please? I'm a little confused.

    Thx a lot
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi ISSnewb3

    ... and welcome to Wilders :)

    Did you look into the destination IP and does it relate to anything you were doing at the time? The high TTL would suggest it is related to traffic you inititated.

    In the port scan properties did you make any changes to the threshold or time limit settings?

    Regards,

    CrazyM
     
    Last edited: Jan 29, 2006
  3. ISSnewb3

    ISSnewb3 Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    4
    nope, i didn't make any change to the port scan properties.

    Src is still the server's ip address.

    Does that mean the server itself is scanning the destination (user) ip address?

    thx
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    It does appear to be traffic from the source IP (your server) triggering the port scan detection. Whether it is actually scanning these other IP's or something else it is doing is triggering this still needs to be determined.

    Unless it has changed, the types of port scans identified by 8Sings are: Normal "Connect" Port Scan, SYN Scan (aka Stealth Scan), ACK and Window Scans, FIN Scan, NULL Scan, Xmas Scan, Full Xmas Scan.

    What type of server is it? If you are not logging all traffic on the server you want to consider doing so for awhile to trouble shoot this and see what connections are happening when the port scan detection is triggered.

    Regards,

    CrazyM
     
  5. prk.uk

    prk.uk Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    10
    Location:
    Essex UK
    Hello ISSnewb3

    Just to confirm your situation:

    your port scan 2006/01/29, 10:31:49.851, GMT -0600, 2118, Port scan: src=X, dst=Y, TTL=128, ports: 33046, 33407, 33790

    my port scan 2006/01/30, 17:53:02.890, GMT -0000, 2118, Port scan: src=4.79.1xx.xxx, dst=192.168.1.10, TTL=112, ports: 0, 1, 2

    With the packet being inbound: Your computer (dst) <-----------I/C Remote computer (src)

    This means that you are indeed correct. Your log entry shows that the packet direction is outgoing.

    Could you please say: 1 what version of 8-Signs you are using 2 Workstation on a network 3 Your system software and whether a Router is being used.

    prk
     
  6. ISSnewb3

    ISSnewb3 Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    4
    i'm using 2.3 version.

    the firewall is installed on my just bought server, os is windows 2003.

    I was connecting thru the server from my computer at home using remote desktop.

    I still don't understand why the server would do a port scan to all these ip addresses (including my ip at home).
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Has the server been scannned/checked for malware?

    Are the alerts only occurring when you connect via remote desktop?

    It could be legitimate traffic triggering the port scanner, which is why you would want to look at all the traffic when this happens. Hence the logging suggestion above. Is there any hardware (router/firewall) in front of the server? You could raise the thresholds to see if that stops the alerts, but it would not help in determining why it is happening.

    Regards,

    CrazyM
     
  8. ISSnewb3

    ISSnewb3 Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    4
    so far 8signs has worked ok now!

    thx for the reply.
     
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Glad to hear it is working for you now. Any other questions or concerns, feel free to ask :)

    Regards,

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.