This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Scanning

The function is a really good feature.
But when I do portscan myself from the
inside-out its annoying to get so many e-mail.
I only want to get the e-mail when someone
is scanning the external interface/rules.
How can i turn the function off?

This thread was automatically locked due to age.

Parents

0 cesman over 24 years ago

You don't want to turn this off. What if a trojan horse is on an internal system? Wouldn't you like to know if one or more of your systems are being used to scan other systems on the net? Just a thought...

Cecil
Cancel
Vote Up 0 Vote Down

Cancel
0 ezac222 over 24 years ago in reply to cesman

Yes of course. But i meant to turn it off
just tmp. after installation.
Cancel
Vote Up 0 Vote Down

Cancel
0 Dennis Koslowski over 24 years ago in reply to ezac222

Hello ezac222

we plan to add such feature sometime, now it is impossible. Please be patient [:)]

Greetings

------------------
Dennis Koslowski
Astaro Product Development
Cancel
Vote Up 0 Vote Down

Cancel
0 afeibus over 23 years ago in reply to Dennis Koslowski

Well, it's been well over a year since the last posting about this issue... and having received over 1000 e-mails over the past 24 hours from twerps (that's a technical term) doing portscans on our servers, I'd like to know how to turn off the e-mails JUST from the portscans? I can still look in the logs to get them, and I like the other e-mails, but getting 300+ e-mails every time someone tries to probe our boxes seems a wee bit excessive and time-wasting.

Thanks,
-- Andy.
Cancel
Vote Up 0 Vote Down

Cancel
0 lanman over 23 years ago in reply to afeibus

If you know the IP address setup a network definition for this IP and then exclude it from portscan detection.
Cancel
Vote Up 0 Vote Down

Cancel
0 tom_01 over 23 years ago in reply to lanman

In 3.2, you can turn of PSD altogether. This is not possible in 2.x, I'm afraid.

Maybe you would like to upgrade ? [;)]

/tom
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 tom_01 over 23 years ago in reply to lanman

In 3.2, you can turn of PSD altogether. This is not possible in 2.x, I'm afraid.

Maybe you would like to upgrade ? [;)]

/tom
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 afeibus over 23 years ago in reply to tom_01

I'm running 3.2 (and love it so far). The scanning IPs are coming from more than one place and I really LIKE the portscan feature... just not the logging control for it. Don't want to lose the feature just to lose the e-mails.....

Interestingly enough, PSD also seems to be tripping on DNS activity from the DNS servers INSIDE the firewall..... I can exempt that system, but seems odd that it would do that.

Thanks,
-- Andy.
Cancel
Vote Up 0 Vote Down

Cancel
0 lanman over 23 years ago in reply to afeibus

I am having the same problem from DNS servers registering port scan activity. I created network defs for each DNS server and excluded them from PSD.

I have been told by others that Port scanning is normal activity for DNS Servers but it is not actually scanning and that it may be replication traffic from Zone Transfers. Can any one verify this.
Cancel
Vote Up 0 Vote Down

Cancel
0 danielrm26 over 23 years ago in reply to lanman

I believe this is triggering the PSD due to the throttle setting in the PSD code. If something generates traffic too often (according to the PSD code) it will trigger the alert. Pseudocode is something like, "If requests come more often than x -> do y."

It is no big deal really; that type of thing can be modified if you wanted to get dirty.

[:)]
Cancel
Vote Up 0 Vote Down

Cancel