LowProventia Server IPS for Linux technology, RealSecure Desktop, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, IBM Security Server Protection for Windows, Proventia Network MFS, BlackICE PC Protection, BlackICE Server Protection, BlackICE Agent for Server, RealSecure Sentry, RealSecure Guard, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware:
This signature detects a high number of TCP packets being sent in a short period of time to the same port on different computers. This could indicate an attacker's attempt to determine which computers are running a particular service.
This signature replaces ServiceScan.
This signature detects a high number of TCP packets being sent in a short period of time to the same port on different computers. This could indicate an attacker's attempt to determine which computers are running a particular service. Because of the likelihood of false positives, TCP port 80 is excluded from triggering this signature.
Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, IBM Security Server Protection for Windows, Proventia Network MFS, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware: Because of the likelihood of false positives, TCP port 80 is excluded from triggering this signature.
Proventia Server IPS for Linux technology, RealSecure Desktop, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, IBM Security Server Protection for Windows, Proventia Network MFS, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware: This signature triggers off of port probe events. This technique is used to avoid false positives from routine sweeps across a subnet, which can be common in normal traffic. Examples of where this is common include load balancing web server farms and smtp mail exchange pools. As a result of this signature triggering off of port probe events, a false negative scenario exists if all ports probed are open.
Low
Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop: baseline, RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, Proventia Desktop: 8.0.614.1, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network MFS: 1.0, BlackICE PC Protection: 3.6.cbd, BlackICE Server Protection: 3.6.cbd, BlackICE Agent for Server: 3.6, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, RealSecure Network: 7.0, RealSecure Desktop Protector: 3.6, RealSecure Server Sensor: 7.0, Virtual Server Protection for Vmware: 1.0
Various vendors Any application
Pre-attack Probe
By attempting to connect to the same port on many different computers, an attacker can attempt to determine which computers are running a particular service within a network. This information could be useful to an attacker in performing an attack.
In performing such a scan, an attacker may attempt to avoid detection by using a slow connection rate.
Investigate the source of this event for a possible intruder. Consider blocking all packets originating from the source network.
ISS X-Force
Service scanner attempting to connect to same port on multiple computers
http://www.iss.net/security_center/static/5253.php