AD - External TCP Scanner Signature - Actions Taken ->denyPacketRequestedNotPerformed

Unanswered Question
May 5th, 2010
User Badges:


I am getting lots of High Alert of AD -External TCP Scanner... on the Action Taken tab I am seeing "denyPacketRequestedNotPerformed". I want to know what this messages mean.

The Signature fires on  victim port 445. In my case, All the attackers [windows based server] are inside my network that  attacks the destination on port 445. I have already block those Attackers with ACL on my router from the most source end. But Still I am getting this signature in my report.

Want to know,

1) What this message "denyPacketRequestedNotPerformed" is?

2) Whether putting ACL in the source end is enough for this?

3) Is there any recommended Solution for this signature suppression?

Thanks in advance.

[Attached file is the Alert]



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 05/06/2010 - 00:43
User Badges:
  • Cisco Employee,

TCP/445 is used by Microsoft file sharing (CIFS), and by default that port is opened on all Microsoft PC basically to allow file sharing.

If you open up DOS prompt, and type: netstat -na, you would see that your PC is by default listening on TCP/445.

Here is more information on Microsoft-DS (TCP/445):

So it really depends on your corporate security policy, whether to allow file sharing or not within the network. IPS is picking that up because it is an easier way of exploiting a PC since the port is opened by default.


This Discussion