I've received a couple of alerts from Symantec anti-virus on a server and client computer saying that it is being port scanned. I was wondering what a network administrator would do about these warnings? Should I just setup a wireshark capture on the computer and see where the scans are coming from or is there a better method to detect devices in your network that are port scanning?
Assuming Symantec is reporting the source of the scan, I would investigate and hunt down the source. Once you find the source it should be able to tell is the port scan malicious or port of some type of management tool.
Thanks Steve. Symantec reported the source as a WLC and an AP (not an AP that was associated with the reported WLC). I thought if someone was connected to the AP and running the scan it would report the IP of the connected user?