02-06-2014 07:02 AM - edited 02-21-2020 05:06 AM
I've received a couple of alerts from Symantec anti-virus on a server and client computer saying that it is being port scanned. I was wondering what a network administrator would do about these warnings? Should I just setup a wireshark capture on the computer and see where the scans are coming from or is there a better method to detect devices in your network that are port scanning?
Thanks for the advice
02-06-2014 06:33 PM
Assuming Symantec is reporting the source of the scan, I would investigate and hunt down the source. Once you find the source it should be able to tell is the port scan malicious or port of some type of management tool.
--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/
02-07-2014 05:36 AM
Thanks Steve. Symantec reported the source as a WLC and an AP (not an AP that was associated with the reported WLC). I thought if someone was connected to the AP and running the scan it would report the IP of the connected user?
02-08-2014 10:17 AM
The it reported to port scans?
1 From the WLC
1 From an LAP - If the LAP was not associated to the WLC how do you know it was a LAP?
How often do these alerts trigger?
--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/
02-10-2014 08:50 AM
I'm not too sure what you mean by your first question but the LAP that it reported was associated with our secondary WLC. It also alerted our primary WLC as running port scans.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: