I have en small, but annoying problem that I was hoping you could through some light on.
Several times a day I receive a message, telling me I am being port scanned. - This coming from my own servers.
Loking in the logs, it appears to be legitimate traffic.
Here is an example off normal windows-traffic.
Code:
2006:03:20-00:23:32 (none) ulogd[2660]: PORTSCAN: IN=eth0 OUT=eth4.10 MAC=00:04:23:c6:90:98:00:0f:1f:67:37:74:08:00 SRC=212.88.93.83 DST=10.10.1.21 LEN=190 TOS=00 PREC=0x00 TTL=127 ID=31937 PROTO=UDP SPT=4549 DPT=389 LEN=170
2006:03:20-00:35:33 (none) ulogd[2660]: PORTSCAN: IN=eth0 OUT=eth4.10 MAC=00:04:23:c6:90:98:00:0f:1f:67:37:74:08:00 SRC=212.88.93.83 DST=10.10.1.21 LEN=190 TOS=00 PREC=0x00 TTL=127 ID=32188 PROTO=UDP SPT=4568 DPT=389 LEN=170
2006:03:20-01:11:41 (none) ulogd[2660]: PORTSCAN: IN=eth0 OUT=eth4.10 MAC=00:04:23:c6:90:98:00:0f:1f:67:37:74:08:00 SRC=212.88.93.83 DST=10.10.1.21 LEN=190 TOS=00 PREC=0x00 TTL=127 ID=32931 CE PROTO=UDP SPT=4623 DPT=389 LEN=170
2006:03:20-01:59:51 (none) ulogd[2660]: PORTSCAN: IN=eth0 OUT=eth4.10 MAC=00:04:23:c6:90:98:00:0f:1f:67:37:74:08:00 SRC=212.88.93.83 DST=10.10.1.21 LEN=190 TOS=00 PREC=0x00 TTL=127 ID=34160 CE PROTO=UDP SPT=4728 DPT=389 LEN=170
2006:03:20-06:36:54 (none) ulogd[2660]: PORTSCAN: IN=eth0 OUT=eth4.10 MAC=00:04:23:c6:90:98:00:0f:1f:67:37:74:08:00 SRC=212.88.93.83 DST=10.10.1.20 LEN=78 TOS=00 PREC=0x00 TTL=127 ID=40568 CE PROTO=UDP SPT=1267 DPT=53 LEN=58
Do you have any suggestions regarding how to eliminate these false alerts without disabling the feature totally?
Regards
Rune Z.
This thread was automatically locked due to age.
