Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 2 replies
  • Subscribers 0 subscribers
  • Views 850 views
  • Users 0 members are here
Options
Suggested

[9.194-5][ANSWERED] Portscan deteced everytime if a client starts

mod2402
Portscan deteced everytime if a client starts.
Thats very strange. Is this a normal behavior?
The log Shows:
[HTML]2014:02:13-09:06:06 asg-1 ulogd[16922]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" mark="0x40000" srcmac="84:3a:4b:a1:c6:a4" dstmac="0:1a:8c:f0:4b:a1" srcip="192.168.24.60" dstip="23.43.75.27" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49613" dstport="80" tcpflags="SYN"
2014:02:13-09:06:06 asg-1 ulogd[16922]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" mark="0x40000" srcmac="84:3a:4b:a1:c6:a4" dstmac="0:1a:8c:f0:4b:a1" srcip="192.168.24.60" dstip="23.43.75.27" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49614" dstport="80" tcpflags="SYN"
2014:02:13-09:06:06 asg-1 ulogd[16922]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" mark="0x40000" srcmac="84:3a:4b:a1:c6:a4" dstmac="0:1a:8c:f0:4b:a1" srcip="192.168.24.60" dstip="194.0.230.106" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49635" dstport="80" tcpflags="SYN"
2014:02:13-09:06:07 asg-1 ulogd[16922]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" mark="0x40000" srcmac="84:3a:4b:a1:c6:a4" dstmac="0:1a:8c:f0:4b:a1" srcip="192.168.24.60" dstip="23.42.27.27" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49638" dstport="80" tcpflags="SYN"
2014:02:13-09:06:10 asg-1 ulogd[16922]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" mark="0x40000" srcmac="84:3a:4b:a1:c6:a4" dstmac="0:1a:8c:f0:4b:a1" srcip="192.168.24.60" dstip="194.0.230.106" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49635" dstport="80" tcpflags="SYN"
2014:02:13-09:06:10 asg-1 ulogd[16922]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" mark="0x40000" srcmac="84:3a:4b:a1:c6:a4" dstmac="0:1a:8c:f0:4b:a1" srcip="192.168.24.60" dstip="23.43.75.27" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="49602" dstport="80" tcpflags="SYN"
2014:02:13-09:06:10 asg-1 ulogd[16922]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" mark="0x40000" srcmac="84:3a:4b:a1:c6:a4" dstmac="0:1a:8c:f0:4b:a1" srcip="192.168.24.60" dstip="23.42.27.27" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49638" dstport="80" tcpflags="SYN"
2014:02:13-09:06:12 asg-1 ulogd[16922]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" mark="0x40000" srcmac="84:3a:4b:a1:c6:a4" dstmac="0:1a:8c:f0:4b:a1" srcip="192.168.24.60" dstip="194.0.230.106" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="49609" dstport="80" tcpflags="SYN"
2014:02:13-09:06:12 asg-1 ulogd[16922]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" mark="0x40000" srcmac="84:3a:4b:a1:c6:a4" dstmac="0:1a:8c:f0:4b:a1" srcip="192.168.24.60" dstip="23.43.75.27" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="49613" dstport="80" tcpflags="SYN"
2014:02:13-09:06:12 asg-1 ulogd[16922]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" mark="0x40000" srcmac="84:3a:4b:a1:c6:a4" dstmac="0:1a:8c:f0:4b:a1" srcip="192.168.24.60" dstip="23.43.75.27" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="49614" dstport="80" tcpflags="SYN" [/HTML]

Is it possible to change the parameters for portscan detection at any place?
Parents
  • 0
    Hi,

    it is not possible to change the parameters for portscan detection.

    The avoid the mentioned behaviour portscan detection is only enabled for the network interface where the default gateway is configured. At least that is the expected behaviour.

    Can you please post the output of:
    iptables-save  | grep PSD_ACTION

    I also need to know on which interface you have configured you default gateway.

    Best,

    Kofi
Reply
  • 0
    Hi,

    it is not possible to change the parameters for portscan detection.

    The avoid the mentioned behaviour portscan detection is only enabled for the network interface where the default gateway is configured. At least that is the expected behaviour.

    Can you please post the output of:
    iptables-save  | grep PSD_ACTION

    I also need to know on which interface you have configured you default gateway.

    Best,

    Kofi
Children
No Data
Unfiltered HTML