[prev in list] [next in list] [prev in thread] [next in thread] 

List:       issforum
Subject:    [ISSForum] XXP_Port_Scan
From:       "Soldatov, Sergey V." <SVSoldatov () tnk-bp ! com>
Date:       2006-05-15 14:03:23
Message-ID: ATLMAIEXCP08a1aNEVJ0003e39e () atlmaiexcp08 ! iss ! local
[Download RAW message or body]

Hi, List

Sometimes there is no :intruder-port in (TCP|UDP)_Port_Scan signature
details and without :reason too. Why?
As I mentioned before, I faced with a great number of false positives (I
think so) with HTTP replies from Web-sites: all highly-loaded
web-servers scan my HTTP-proxy. It's easy to investigate if
> intruder-port and :reason are shown in details, but when they didn't
present... So, my question is why sometimes we see :intruder-port and
> reason and sometimes not?
Is it because sometimes :intruder-port is one and it could be specified
in details and sometimes :intruder-port is different for different
probes, so it can't be specified? How can I influence on appearance of
> intruder-port ? Can I somehow correlate :intruder-port with
XXP_Port_Scan triggering (i.e. if  :intruder-port is 80 and tere is no
> reason, port scan signature is not triggering) ?

Tanks.
---
Best regards, Sergey V. Soldatov.
Information security department.


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to \
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 \
Barfield Road, Atlanta, Georgia, USA 30328.


[prev in list] [next in list] [prev in thread] [next in thread]