Hi guys,
which tcp ports normally Ironport WSA uses to communicate for update or during normal operations ?
Customer where we are installing 2 S160 ,send me this alert log from existing Checkpoint IPS , where src is ironport (10.0.1.5) dst is ip address (10.0.0.97) of Windows AD, DNS and NTP server .
8Oct2011 7:36:47 drop 80.207.58.46 >eth2 mail product: SmartDefense; TCP flags: FIN; Attack Info: TCP flags do not make sense; attack: Bad packet; src: 10.0.1.5; s_port: 7745; dst: 10.0.0.97; service: ldap; proto: tcp;
This log is generated every 15 min, so i believe that is something related to update, but service type ldap give me some doubt.
May be wsa check AD every 15 min ?
Thanks
Best regards
Luca