Date: Wed, 19 Jul 2006 12:38:16 -0400 From: Corey Smith <csmith@bonddesk.com> To: Clemens Renner <claim@rinux.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port scan from Apache? Message-ID: <44BE5FF8.1050108@bonddesk.com> In-Reply-To: <44BE47AD.4010302@rinux.net> References: <200607190718.k6J7IfcU036093@lurza.secnetix.de> <44BE47AD.4010302@rinux.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Clemens Renner wrote: > Regarding the advice from several people that the complaining admin > should provide more details on the alleged "port scan": I will ask him > to do that the next time he contacts me. BTW: I've seen this before on a misconfigured TAP/SPAN when the IDS can only see half of the connection (the recieves but not the sends for example). Since the IDS sees a ton of SYNs without the corresponding SYN/ACKs it looks like a portscan. Your web server probably has more connections per second than any other device on your network... -Corey Smith
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BE5FF8.1050108>