From owner-freebsd-security@FreeBSD.ORG Fri Jul 21 09:43:40 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84D4616A4DF for ; Fri, 21 Jul 2006 09:43:40 +0000 (UTC) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DF8043D58 for ; Fri, 21 Jul 2006 09:43:33 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id 553043530BE; Fri, 21 Jul 2006 11:43:31 +0200 (CEST) X-Virus-Scanned: by amavisd-new using F-Prot/ClamAV at rinux.net Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TN-Im-qqMaRk; Fri, 21 Jul 2006 11:43:27 +0200 (CEST) Received: from [10.0.0.3] (i53878D05.versanet.de [83.135.141.5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id 10E543530BD; Fri, 21 Jul 2006 11:43:27 +0200 (CEST) Message-ID: <44C0A1BE.4050500@rinux.net> Date: Fri, 21 Jul 2006 11:43:26 +0200 From: Clemens Renner User-Agent: Thunderbird 1.5.0.4 (X11/20060609) MIME-Version: 1.0 To: Nash Nipples References: <20060721082531.51373.qmail@web36313.mail.mud.yahoo.com> In-Reply-To: <20060721082531.51373.qmail@web36313.mail.mud.yahoo.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 09:43:40 -0000 Hi Nash, I'm not sure I really understand what you're up to. In any case, let me clarify that my whole intention was to get a better understanding of what had happened there. In the end, I don't want my server to produce alarms at other people's sites. I tried to find the cause of the problem on my side and couldn't, thus I suggested a working hypothesis to the complaining (yes he was complaining) admin. So my question which you cited below was really about the criteria that need to be met for the NetScreen hw/sw to classify something as a port scan. Pure diagnostic information. As I mentioned earlier, the admin hasn't contacted me since I posted my hypothesis with the web mailer which I don't quite like either because I'd prefer a message that says "It's alright, it wasn't your fault." or "We still don't know what's wrong. Can you investigate further using this pile of low-level details?" Of course I'd prefer the first one since it means less work for me but the second one would also be fine with me. And on a last note: I didn't mean to be sneaky, I just wanted some advice as to the origins since I thought I might have missed something. For that, this list seemed appropriate to me. Best wishes Clemens Nash Nipples wrote: > i believe that people who deployed netscreen are quite sure in what > they are doing and a friendly notice should not sound like a > complaint to u but instead become a solid ground to understanding > what could go wrong. Ofcourse if they proudly told you that they ARE > using the netscreen. Peeking on log entries provided to u and > announcing it on public doesnt make an electronic robinhood scene. > unless this is a.. "Do you guys know how does the damn netscreen > detect portscans, really..?" > >> 3. Does anyone know when the NetScreen hardware / software labels >> something "port scan"? > > isnt that an indirect hit? i suggest u ask ur question directly to > the sender dropping this sneaky habbits in freebsd-security list. > thats what it is about