Hi all, in my IPS log, I see some entries "portscan detect", up to this point nothing serious.
But the strange thing is that some entries show as srcmac the aa:bb:cc[:D]d:ee:ff, and this mac is the same for attacks sourcing from public ip external that from ip pubblic of my office 2 connected in VPN SSL.
How can you explain??
entry from pubblic ip office2
/var/log/ips/2015/10/ips-2015-10-09.log.gz:2015:10:09-16:26:49 fw1 ulogd[4560]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth0" srcmac="aa:bb:cc[:D]d:ee:ff" dstmac="00:1e:0b:fd:18:aa" srcip="88.18.123.212" dstip="80.96.211.77" proto="6" length="44" tos="0x00" prec="0x00" ttl="37" srcport="59039" dstport="1066" tcpflags="SYN"
entry from external ip (not related to my networks)
/var/log/ips/2015/10/ips-2015-10-07.log.gz:2015:10:07-00:24:36 fw1 ulogd[4560]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth0" srcmac="aa:bb:cc[:D]d:ee:ff" dstmac="00:1e:0b:fd:18:aa" srcip="221.192.199.50" dstip="80.96.211.77" proto="6" length="40" tos="0x00" prec="0x00" ttl="110" srcport="39441" dstport="8090" tcpflags="SYN"
This thread was automatically locked due to age.
