07-29-2004 05:14 AM - edited 03-09-2019 08:14 AM
My CSA log shows I a few devices that have attempted portscans on several of my machines that have CSA installed. The information they provide in the detail of the portscan message only tells me what devices did the scan. Is there any place I can get additional information about this output. I have contacted my PC folks and they have looked at the machines in question but say they cannot find any virus or anything that might be doing the port scan.
Any information you can provide is greatly appreciated.
Thanks,
Dave
07-29-2004 03:35 PM
What port? That might indicate what it's trying to do. It could be something expected 427 or 161. You could also look at the PCs with something like nmap or a protocol analyzer to determine what they are actually trying to do.
07-30-2004 04:57 AM
Thanks for the quick response.
I was assuming that the Portscan was shown because something scanning numerous ports on the machines in quesiton. Maybe that was a wrong assumption on my part. The details of the message does not indicate what port although there is a bunch of detail that is not real easy to read so maybe it is in that detail. If you know what item in the detail shows what port it is let me know.
Thanks,
Dave
08-02-2004 02:55 PM
Portscan messages normally show which port is being scanned within the message. The details I see show the port number in argi(4) in my MC.
08-11-2004 08:06 AM
We see this all the time with Symantec Antivirus Corporate Edition host servers checking in with clients. Haven't found a way to tell the CSA MC to ignore "port scan" events from the SAV server, so these clutter up all our logs.
08-11-2004 12:19 PM
I was told that version 4.5 will allow you to create rules to exclude "admin" servers from the global event message generation. That will be nice...
08-12-2004 03:43 AM
That would be nice. Thanks for the information.
Dave
08-12-2004 03:45 AM
Jeff,
Thanks for the information. What I have seen it mostly on is our SMS servers. I have seen it from our antivirus server also. What do you have your Global correlation settings set at for these to reduce the number of log entries, but not reduce your ability to see portscans that are not wanted?
Thanks,
Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide