Port scan from Apache?
Corey Smith
csmith at bonddesk.com
Wed Jul 19 16:38:32 UTC 2006
Clemens Renner wrote:
> Regarding the advice from several people that the complaining admin
> should provide more details on the alleged "port scan": I will ask him
> to do that the next time he contacts me.
BTW: I've seen this before on a misconfigured TAP/SPAN when the IDS can
only see half of the connection (the recieves but not the sends for
example). Since the IDS sees a ton of SYNs without the corresponding
SYN/ACKs it looks like a portscan.
Your web server probably has more connections per second than any other
device on your network...
-Corey Smith
More information about the freebsd-security
mailing list