8signs port scan

I just installed 8signs trial due to reading from other posters' comments about 8signs.

2006/01/29, 10:31:49.851, GMT -0600, 2118, Port scan: src=X, dst=Y, TTL=128, ports: 33046, 33407, 33790


That is what I got in my 8signs firewall log. X is my IP address. I thought src should be Y where the scanner is and dst should be my Ip address.

any inputs please? I'm a little confused.

Thx a lot

 

Hi ISSnewb3

... and welcome to Wilders

Did you look into the destination IP and does it relate to anything you were doing at the time? The high TTL would suggest it is related to traffic you inititated.

In the port scan properties did you make any changes to the threshold or time limit settings?

Regards,

CrazyM

 

nope, i didn't make any change to the port scan properties.

Src is still the server's ip address.

Does that mean the server itself is scanning the destination (user) ip address?

thx

 

It does appear to be traffic from the source IP (your server) triggering the port scan detection. Whether it is actually scanning these other IP's or something else it is doing is triggering this still needs to be determined.

Unless it has changed, the types of port scans identified by 8Sings are: Normal "Connect" Port Scan, SYN Scan (aka Stealth Scan), ACK and Window Scans, FIN Scan, NULL Scan, Xmas Scan, Full Xmas Scan.

What type of server is it? If you are not logging all traffic on the server you want to consider doing so for awhile to trouble shoot this and see what connections are happening when the port scan detection is triggered.

Regards,

CrazyM

 

Hello ISSnewb3

Just to confirm your situation:

your port scan 2006/01/29, 10:31:49.851, GMT -0600, 2118, Port scan: src=X, dst=Y, TTL=128, ports: 33046, 33407, 33790

my port scan 2006/01/30, 17:53:02.890, GMT -0000, 2118, Port scan: src=4.79.1xx.xxx, dst=192.168.1.10, TTL=112, ports: 0, 1, 2

With the packet being inbound: Your computer (dst) <-----------I/C Remote computer (src)

This means that you are indeed correct. Your log entry shows that the packet direction is outgoing.

Could you please say: 1 what version of 8-Signs you are using 2 Workstation on a network 3 Your system software and whether a Router is being used.

prk

 

i'm using 2.3 version.

the firewall is installed on my just bought server, os is windows 2003.

I was connecting thru the server from my computer at home using remote desktop.

I still don't understand why the server would do a port scan to all these ip addresses (including my ip at home).

 

Has the server been scannned/checked for malware?

Are the alerts only occurring when you connect via remote desktop?

It could be legitimate traffic triggering the port scanner, which is why you would want to look at all the traffic when this happens. Hence the logging suggestion above. Is there any hardware (router/firewall) in front of the server? You could raise the thresholds to see if that stops the alerts, but it would not help in determining why it is happening.

Regards,

CrazyM

 

so far 8signs has worked ok now!

thx for the reply.

 

Glad to hear it is working for you now. Any other questions or concerns, feel free to ask

Regards,

CrazyM