Re: Aladdin eSafe Internet security Appliances - active scan

[Javier Reyna Padilla <jreyna () onlinet com mx>]

as far as I know eSafe appliances are just passive filtering, in bridge 
or routing configuration and it doesn't perform an scan, nor one so 
aggressive. altough the OS id might be a false positive

¡Saludos!
________________

Javier Reyna 
CCSE WCSE ISS-CS NSP JNCIA-FWV
Consultor en Seguridad
jreyna () onlinet com mx
www.onlinet.com.mx
,,__
o" )~
''''



Noah.Lance () APCC com wrote:
> I discovered a device that was actively and aggressively scanning my 
> computer. I did a nmap OS id and it came out as a Aladdin eSafe Appliance 
> (Linux 2.4 Linux 2.6). Looked at their site and it doesn't appear that 
> they have any active type appliances. They all seem to be passive filter 
> type appliances. 
>
> http://www.aladdin.com/esafe
>
> As soon as I noticed this I opened up wireshark and decided to watch any 
> packets with src or dst of the ip. in less than 400 seconds it scanned 
> 11,376 ports consecutively on another computer and then began scanning the 
> next one.
>
> It went from IP 255.255.255.98 to ...84 to ...37, so that seemed fairly 
> random but i didn't bother break it down either. Still with the same 
> aggressive scan pattern.
>
> Curious if we can shed some light on me about a gateway/content filtering 
> appliance doing an active scan of the internal network, over an IPSec 
> tunnel (possibly three, but the other hops are out of my AOR).
>
> Some of the packets did come up as malformed with a correct checksum, as 
> well as a few syn/fin packets out there as well. 
>
> Thanks for the time all.
>
>