CSA throws portscan alert

Unanswered Question
Dec 19th, 2005
User Badges:

Good morning,


I'm getting an Alert in CSA, generated by Rule 18, stating that "A portscan was detected Reason: ICMP unreachable. ICMP: 10.64.100.101 -> 10.65.110.118 type destination_unreachable/03.


The target address (.118) is a voice gateway on a 6509. I dont see any reason for this to occur. Thoughts?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
tsteger1 Mon, 12/19/2005 - 11:41
User Badges:
  • Red, 2250 points or more

You didn't mention what version of CSA you are running and there are different options for each.


You may want to turn off the ICMP deny logging or add your voice gateway to the authorized port scanners. Portscan logging is a different matter and it depends on which version you have.

tsteger1 Thu, 12/22/2005 - 13:05
User Badges:
  • Red, 2250 points or more

OK, then make sure you are using the Internal IP Stack hardening module and add your voice gateway to the Authorized Port Scanners network address set. You also may want to exclude the gateway from the host addresses that are scanned by those rules.


That may do the trick.


Tom

Actions

This Discussion