Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 4299 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Meaning of App = "445" in packets

PatrickKim

Hi,

We are receiving portscans from the source IP address on the port ranges from 1030 to 1139. I have put some logged files as below.  They are blocked by a specific dropping rule as they keep scanning our ports. After a number of the same packets trying to scan the ports, then UTM flags the packet as portscan with fwrrule=60017.

2016:04:18-06:55:17 fw ulogd[15086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="3" initf="ppp0" mark="0x21bd" app="445" srcip="209.126.127.17" dstip="x.x.x.x" proto="17" length="443" tos="0x00" prec="0x00" ttl="51" srcport="5905" dstport="1036"

2016:04:18-06:56:24 fw ulogd[15086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="3" initf="ppp0" mark="0x21bd" app="445" srcip="209.126.127.17" dstip="x.x.x.x" proto="17" length="443" tos="0x00" prec="0x00" ttl="51" srcport="5905" dstport="1037"

2016:04:18-06:57:11 fw ulogd[15086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="3" initf="ppp0" mark="0x21bd" app="445" srcip="209.126.127.17" dstip="x.x.x.x" proto="17" length="443" tos="0x00" prec="0x00" ttl="51" srcport="5905" dstport="1038"

2016:04:18-06:58:46 fw ulogd[15086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="3" initf="ppp0" mark="0x21bd" app="445" srcip="209.126.127.17" dstip="x.x.x.x" proto="17" length="443" tos="0x00" prec="0x00" ttl="51" srcport="5905" dstport="1039"

2016:04:18-06:60:20 fw ulogd[15086]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="ppp0" mark="0x21bd" app="445" srcip="209.126.127.17" dstip="x.x.x.x" proto="17" length="443" tos="0x00" prec="0x00" ttl="51" srcport="5905" dstport="1060"

My questions are:

1. What does the app=445 mean in these packets? 

2. What do you do when dealing with these kinds of consistent portscan?



This thread was automatically locked due to age.