Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
7
Replies

Portscans detected by CSA

david-schroeder_2
Level 1
Level 1

‎07-29-2004 05:14 AM - edited ‎03-09-2019 08:14 AM

My CSA log shows I a few devices that have attempted portscans on several of my machines that have CSA installed. The information they provide in the detail of the portscan message only tells me what devices did the scan. Is there any place I can get additional information about this output. I have contacted my PC folks and they have looked at the machines in question but say they cannot find any virus or anything that might be doing the port scan.

Any information you can provide is greatly appreciated.

Thanks,

Dave

Labels:
0 Helpful
7 Replies 7

tsteger1
Level 8
Level 8

‎07-29-2004 03:35 PM

What port? That might indicate what it's trying to do. It could be something expected 427 or 161. You could also look at the PCs with something like nmap or a protocol analyzer to determine what they are actually trying to do.

0 Helpful

david-schroeder_2
Level 1
Level 1
In response to tsteger1

‎07-30-2004 04:57 AM

Thanks for the quick response.

I was assuming that the Portscan was shown because something scanning numerous ports on the machines in quesiton. Maybe that was a wrong assumption on my part. The details of the message does not indicate what port although there is a bunch of detail that is not real easy to read so maybe it is in that detail. If you know what item in the detail shows what port it is let me know.

Thanks,

Dave

0 Helpful

tsteger1
Level 8
Level 8
In response to david-schroeder_2

‎08-02-2004 02:55 PM

Portscan messages normally show which port is being scanned within the message. The details I see show the port number in argi(4) in my MC.

0 Helpful

jeff.roback
Level 1
Level 1

‎08-11-2004 08:06 AM

We see this all the time with Symantec Antivirus Corporate Edition host servers checking in with clients. Haven't found a way to tell the CSA MC to ignore "port scan" events from the SAV server, so these clutter up all our logs.

0 Helpful

tsteger1
Level 8
Level 8
In response to jeff.roback

‎08-11-2004 12:19 PM

I was told that version 4.5 will allow you to create rules to exclude "admin" servers from the global event message generation. That will be nice...

0 Helpful

david-schroeder_2
Level 1
Level 1
In response to tsteger1

‎08-12-2004 03:43 AM

That would be nice. Thanks for the information.

Dave

0 Helpful

david-schroeder_2
Level 1
Level 1
In response to jeff.roback

‎08-12-2004 03:45 AM

Jeff,

Thanks for the information. What I have seen it mostly on is our SMS servers. I have seen it from our antivirus server also. What do you have your Global correlation settings set at for these to reduce the number of log entries, but not reduce your ability to see portscans that are not wanted?

Thanks,

Dave

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents