[prev in list] [next in list] [prev in thread] [next in thread]
List: issforum
Subject: [ISSForum] XXP_Port_Scan
From: "Soldatov, Sergey V." <SVSoldatov () tnk-bp ! com>
Date: 2006-05-15 14:03:23
Message-ID: ATLMAIEXCP08a1aNEVJ0003e39e () atlmaiexcp08 ! iss ! local
[Download RAW message or body]
Hi, List
Sometimes there is no :intruder-port in (TCP|UDP)_Port_Scan signature
details and without :reason too. Why?
As I mentioned before, I faced with a great number of false positives (I
think so) with HTTP replies from Web-sites: all highly-loaded
web-servers scan my HTTP-proxy. It's easy to investigate if
> intruder-port and :reason are shown in details, but when they didn't
present... So, my question is why sometimes we see :intruder-port and
> reason and sometimes not?
Is it because sometimes :intruder-port is one and it could be specified
in details and sometimes :intruder-port is different for different
probes, so it can't be specified? How can I influence on appearance of
> intruder-port ? Can I somehow correlate :intruder-port with
XXP_Port_Scan triggering (i.e. if :intruder-port is 80 and tere is no
> reason, port scan signature is not triggering) ?
Tanks.
---
Best regards, Sergey V. Soldatov.
Information security department.
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to \
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 \
Barfield Road, Atlanta, Georgia, USA 30328.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic