This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Meaning of App = "445" in packets

Hi,

We are receiving portscans from the source IP address on the port ranges from 1030 to 1139. I have put some logged files as below. They are blocked by a specific dropping rule as they keep scanning our ports. After a number of the same packets trying to scan the ports, then UTM flags the packet as portscan with fwrrule=60017.

2016:04:18-06:55:17 fw ulogd[15086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="3" initf="ppp0" mark="0x21bd" app="445" srcip="209.126.127.17" dstip="x.x.x.x" proto="17" length="443" tos="0x00" prec="0x00" ttl="51" srcport="5905" dstport="1036"

2016:04:18-06:56:24 fw ulogd[15086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="3" initf="ppp0" mark="0x21bd" app="445" srcip="209.126.127.17" dstip="x.x.x.x" proto="17" length="443" tos="0x00" prec="0x00" ttl="51" srcport="5905" dstport="1037"

2016:04:18-06:57:11 fw ulogd[15086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="3" initf="ppp0" mark="0x21bd" app="445" srcip="209.126.127.17" dstip="x.x.x.x" proto="17" length="443" tos="0x00" prec="0x00" ttl="51" srcport="5905" dstport="1038"

2016:04:18-06:58:46 fw ulogd[15086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="3" initf="ppp0" mark="0x21bd" app="445" srcip="209.126.127.17" dstip="x.x.x.x" proto="17" length="443" tos="0x00" prec="0x00" ttl="51" srcport="5905" dstport="1039"

2016:04:18-06:60:20 fw ulogd[15086]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="ppp0" mark="0x21bd" app="445" srcip="209.126.127.17" dstip="x.x.x.x" proto="17" length="443" tos="0x00" prec="0x00" ttl="51" srcport="5905" dstport="1060"

My questions are:

1. What does the app=445 mean in these packets?

2. What do you do when dealing with these kinds of consistent portscan?

This thread was automatically locked due to age.

Parents

0 BAlfson over 9 years ago

From the command line, grep ' 445$' /var/pattern/appctrl43/4.3/config/applications_ids yields SIP 445. So, that looks like it's related to VoIP traffic

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 chasster123 over 9 years ago in reply to BAlfson

I'm getting the app-445 reference in my FW log.

This is occurring during a PortScan from Source IP address: 209.126.127.199 (condor2511.dedicatedpanel.com).

srcport="5113" dstport="5067"
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 chasster123 over 9 years ago in reply to BAlfson

I'm getting the app-445 reference in my FW log.

This is occurring during a PortScan from Source IP address: 209.126.127.199 (condor2511.dedicatedpanel.com).

srcport="5113" dstport="5067"
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data