Aladdin eSafe Internet security Appliances - active scan



I discovered a device that was actively and aggressively scanning my
computer. I did a nmap OS id and it came out as a Aladdin eSafe Appliance
(Linux 2.4 Linux 2.6). Looked at their site and it doesn't appear that
they have any active type appliances. They all seem to be passive filter
type appliances.

http://www.aladdin.com/esafe

As soon as I noticed this I opened up wireshark and decided to watch any
packets with src or dst of the ip. in less than 400 seconds it scanned
11,376 ports consecutively on another computer and then began scanning the
next one.

It went from IP 255.255.255.98 to ...84 to ...37, so that seemed fairly
random but i didn't bother break it down either. Still with the same
aggressive scan pattern.

Curious if we can shed some light on me about a gateway/content filtering
appliance doing an active scan of the internal network, over an IPSec
tunnel (possibly three, but the other hops are out of my AOR).

Some of the packets did come up as malformed with a correct checksum, as
well as a few syn/fin packets out there as well.

Thanks for the time all.



Relevant Pages

  • Re: IPS with no IP address?
    ... concept of the stackless control channel. ... Basically directing control ... Stackless Control Channel - AES encrypted packets directed through the ... Recognizer - Code running on the appliance capable of interpreting ...
    (Focus-IDS)
  • Re: FreeBSD router and WCCP
    ... plain packets with "wrong" IP destinations arriving on its MAC ... just the way squid on FreeBSD does. ... BTW, if the appliance supports ICAP, you'll be much better off ...
    (freebsd-questions)