Symantec reporting port scan

Mark Mattix · ‎02-06-2014

I've received a couple of alerts from Symantec anti-virus on a server and client computer saying that it is being port scanned. I was wondering what a network administrator would do about these warnings? Should I just setup a wireshark capture on the computer and see where the scans are coming from or is there a better method to detect devices in your network that are port scanning?

Thanks for the advice

SOcchiogrosso · ‎02-06-2014

Assuming Symantec is reporting the source of the scan, I would investigate and hunt down the source. Once you find the source it should be able to tell is the port scan malicious or port of some type of management tool.

--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

Mark Mattix · ‎02-07-2014

Thanks Steve. Symantec reported the source as a WLC and an AP (not an AP that was associated with the reported WLC). I thought if someone was connected to the AP and running the scan it would report the IP of the connected user?

SOcchiogrosso · ‎02-08-2014

The it reported to port scans?

1 From the WLC

1 From an LAP - If the LAP was not associated to the WLC how do you know it was a LAP?

How often do these alerts trigger?

--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

Mark Mattix · ‎02-10-2014

I'm not too sure what you mean by your first question but the LAP that it reported was associated with our secondary WLC. It also alerted our primary WLC as running port scans.