From owner-freebsd-security@FreeBSD.ORG  Wed Jul 19 16:38:32 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@FreeBSD.ORG
Delivered-To: freebsd-security@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D300A16A536
	for <freebsd-security@FreeBSD.ORG>;
	Wed, 19 Jul 2006 16:38:32 +0000 (UTC)
	(envelope-from csmith@bonddesk.com)
Received: from msmisps01.bonddesk.com (msmisps01.bonddesk.com [12.47.70.99])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 130F243D5F
	for <freebsd-security@FreeBSD.ORG>;
	Wed, 19 Jul 2006 16:38:23 +0000 (GMT)
	(envelope-from csmith@bonddesk.com)
Received: from mimail.bdg.local ([10.132.16.100]) by chmail.bdg.local with
	Microsoft SMTPSVC(6.0.3790.1830); Wed, 19 Jul 2006 12:38:19 -0400
Received: from [10.133.16.58] ([10.133.16.58] RDNS failed) by mimail.bdg.local
	with Microsoft SMTPSVC(6.0.3790.1830); 
	Wed, 19 Jul 2006 12:38:18 -0400
Message-ID: <44BE5FF8.1050108@bonddesk.com>
Date: Wed, 19 Jul 2006 12:38:16 -0400
From: Corey Smith <csmith@bonddesk.com>
User-Agent: Thunderbird 1.5.0.4 (X11/20060608)
MIME-Version: 1.0
To: Clemens Renner <claim@rinux.net>
References: <200607190718.k6J7IfcU036093@lurza.secnetix.de>
	<44BE47AD.4010302@rinux.net>
In-Reply-To: <44BE47AD.4010302@rinux.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 19 Jul 2006 16:38:18.0966 (UTC)
	FILETIME=[BDAE5F60:01C6AB51]
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Port scan from Apache?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2006 16:38:32 -0000

Clemens Renner wrote:
> Regarding the advice from several people that the complaining admin
> should provide more details on the alleged "port scan": I will ask him
> to do that the next time he contacts me.
BTW: I've seen this before on a misconfigured TAP/SPAN when the IDS can 
only see half of the connection (the recieves but not the sends for 
example).  Since the IDS sees a ton of SYNs without the corresponding 
SYN/ACKs it looks like a portscan.

Your web server probably has more connections per second than any other 
device on your network...

-Corey Smith