stealth scans on old legacy firewalls.

[lwcashd () BIW COM (Larry W. Cashdollar)]

Everyday I check the logs on our current firewall (soon to be replaced).  I have noticed and reported to 
management/staff that the number of scans
we are logging have decreased over the last 3 months.  My theory was that our
firewall was still being scanned but with stealth utilities like nmap.  I also
noted that our firewall in its current configuration could not log these types
of scans as they didnt complete the TCP 3-way handshake.  Well we are our new
firewall is up and running and being tested online.  This morning this showed up
in its logs:

Feb 04 04:58:58.138 bertha kernel[0]: 226 IP  packet dropped
(gnet44.szptt.net.cn[202.96.191.44]->bertha[xxx.xxx.xxx.xxx]:
Protocol=TCP[SYN] Port 1861->8080): Restricted Port: Protocol=TCP[SYN] Port
1861->8080 (received on interface xxx.xxx.xxx.xxx)

^^^^^^  Open proxy server scan.

Feb 04 04:58:58.892 bertha kernel[0]: 226 IP  packet dropped
(gnet44.szptt.net.cn[202.96.191.44]->bertha[xxx.xxx.xxx.xxx]:
Protocol=TCP[SYN] Port 2225->3128): Restricted Port: Protocol=TCP[SYN] Port
2225->3128 (received on interface xxx.xxx.xxx.xxx)

^^^^^^ Dont know what they are looking for on port 3128.

Feb 04 04:58:59.598 bertha kernel[0]: 226 IP  packet dropped
(gnet44.szptt.net.cn[202.96.191.44]->bertha[xxx.xxx.xxx.xxx]:
Protocol=TCP[SYN] Port 2609->1080): Restricted Port: Protocol=TCP[SYN] Port
2609->1080 (received on interface xxx.xxx.xxx.xxx)

^^^^^^ Socks Scan.

While the logs on the old firewall remained quiet.  All I can say is attackers
are like children if they are too quiet something is wrong.

-- Larry