Host Sweep and TCP port scans
TheFORCE
Member Posts: 2,297 ■■■■■■■■□□
I'm seeing a lot of host sweep and tcp port scans on my firewall logs from internal network to external network addresses. Does anyone know if this is normal behavior of any major application? From what i found, a lot of this scans can be interpreted as false positive because of the way some tabbed browsers behave. How would you interpret this information? Is there any troubleshooting that I could do?
Comments
-
BuzzSaw Member Posts: 259 ■■■□□□□□□□Can you find the originating IP, or is it coming from multiple IPs on the inside network?
I'd suggest trying to find one particular source to see if you can determine if there is anything concerning there.
As for it being normal behavior, its possible, but generally you shouldn't be getting port scan. however, the port scan could not actually be a port scan. I'd try to narrow in on one machine and take a look that way. If you can find the machine, you could use something like Burp suite and burp down the browser in order to see what its actually calling. Also, you could shark the traffic originating from that IP, or on the box itself. -
YFZblu Member Posts: 1,462 ■■■■■■■■□□Scanning from internal to external? That should be considered highly suspicious behavior until you can prove otherwise. I would first find out what roles the scanning systems play in the network. From there you'll want to go to the host and identify exactly what the cause of that traffic is: review running processes, network connections, Users, etc. Look for the initial string to pull on.
-
636-555-3226 Member Posts: 975 ■■■■■□□□□□pcap to inspect the traffic. is it actually a ping sweep, any payloads going out, etc?