Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Symantec reporting port scan

I've received a couple of alerts from Symantec anti-virus on a server and client computer saying that it is being port scanned. I was wondering what a network administrator would do about these warnings? Should I just setup a wireshark capture on the computer and see where the scans are coming from or is there a better method to detect devices in your network that are port scanning?

Thanks for the advice        

4 REPLIES

Symantec reporting port scan

Assuming Symantec is reporting the source of the scan, I would investigate and hunt down the source. Once you find the source it should be able to tell is the port scan malicious or port of some type of management tool.

--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/
New Member

Symantec reporting port scan

Thanks Steve. Symantec reported the source as a WLC and an AP (not an AP that was associated with the reported WLC). I thought if someone was connected to the AP and running the scan it would report the IP of the connected user?

Symantec reporting port scan

The it reported to port scans?

1 From the WLC

1 From an LAP - If the LAP was not associated to the WLC how do you know it was a LAP?

How often do these alerts trigger?     

--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/
New Member

Symantec reporting port scan

I'm not too sure what you mean by your first question but the LAP that it reported was associated with our secondary WLC. It also alerted our primary WLC as running port scans.

632
Views
0
Helpful
4
Replies
CreatePlease to create content