Re: Port Scans

From: WTMI (wtmi_at_hotmail.com)
Date: 10/04/04


Date: 4 Oct 2004 06:01:22 -0700

Rob Hughes <rob@robhughes.com> wrote in message news:<S6adnUsWgInXnMPcRVn-sw@comcast.com>...
> WTMI is alleged to have said in comp.security.firewalls:
>
> > I have a Checkpoint Firewall One NG FP3 running on a Nokia IP380. My
> > problem is that I have a laptop that is sending HTTP packets to the
> > gateway IP address on strange ports. And each log entry has a
> > different port number and seqentiality higher number. This sounds to
> > me to be a port scan but am not sure. If it is, what should I be
> > looking for on the laptop? I know that the AV is up to date. Any
> > help would greatly appreciated. Thank you.
>
> Uhm... that's how TCP connections work. Are you in voyager by any chance
> when this happens? Otherwise, get a monitor or other snoop of the traffic
> and post a sample.

I was looking at the checkpoint logs at the time. The system is also
trying to connect to the firewall, but the firewall rejects it since
that IP is not authorized to manage the firewall. That I do see in the
http error log "[Fri Oct 1 11:58:13 2004] [error] (2)No such file or
directory: access to / failed for 10.10.15.224, reason: User not known
to the underlying authentication module". Thanks for the help.