Re: Port scans from a Dedicated Micro Digital Sprite II

[eecue <eecue () eecue com>]

On Jan 28, 2004, at 11:59 AM, Daniel H. Renner wrote:

> The unit's setup was changed from the original as below to as follows 
> in
> an attempt to remove the router from the equation:
> Internet --- DSL modem --- switch --- DS2 with public IP

first of all i wouldn't connect a sprite to the internet... those boxes 
belong
on your internal network.  if you need to access it from outside then 
use
vpn.  i've used it and it works fine.

> Concurrent with EVERY attempt to access the DS2, a port scan was
> initiated from the DS2's address at the visiting address, and this can
> be reproduced at will.  For scan logs, see original email to vendor
> below.  (Public IPs modified.)

i think that your IDS is confused and really what happens is that when
the client software connects to the sprite it opens a bunch of ports (21
prehaps) and then the digital sprite connects back to your client on
those ports...

it's not really much of a port scan... maybe you should turn down the
sensitivity of your IDS's portscan detector.

btw those digital sprites rock..  they're multiple camera multiplexors
and hard drive recorders with time lapse recording built in.  and event
detection.  all in a nice little 1u rack mount box, but yeah keep it 
off the
internet.

-eek


....
A. David Bullock
eecue : programmer / designer / admin / human
http://eecue.com/
anything is possible


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html