My CSA log shows I a few devices that have attempted portscans on several of my machines that have CSA installed. The information they provide in the detail of the portscan message only tells me what devices did the scan. Is there any place I can get additional information about this output. I have contacted my PC folks and they have looked at the machines in question but say they cannot find any virus or anything that might be doing the port scan.
Any information you can provide is greatly appreciated.
What port? That might indicate what it's trying to do. It could be something expected 427 or 161. You could also look at the PCs with something like nmap or a protocol analyzer to determine what they are actually trying to do.
Thanks for the quick response.
I was assuming that the Portscan was shown because something scanning numerous ports on the machines in quesiton. Maybe that was a wrong assumption on my part. The details of the message does not indicate what port although there is a bunch of detail that is not real easy to read so maybe it is in that detail. If you know what item in the detail shows what port it is let me know.
Portscan messages normally show which port is being scanned within the message. The details I see show the port number in argi(4) in my MC.
We see this all the time with Symantec Antivirus Corporate Edition host servers checking in with clients. Haven't found a way to tell the CSA MC to ignore "port scan" events from the SAV server, so these clutter up all our logs.
I was told that version 4.5 will allow you to create rules to exclude "admin" servers from the global event message generation. That will be nice...
Thanks for the information. What I have seen it mostly on is our SMS servers. I have seen it from our antivirus server also. What do you have your Global correlation settings set at for these to reduce the number of log entries, but not reduce your ability to see portscans that are not wanted?