Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RuneSeeker
Participant

Detected Sweep Scan originating from source: internal server - destination: empty

Hi everyone,

We are currently running R81.20 Hotfix Take 105. 

The IPS protection flagged a Sweep Scan originating from an internal server, with the destination showing as "null" and the service listed as HTTP_proxy (TCP/8080).

After 9 seconds, the system automatically applied a SAM rule to drop the connection. This action inadvertently disrupted legitimate communication with another internal server.

Once we identified the cause, we removed the affected server from the SAM rule, and since then the issue has not reappeared.

Could you help us understand what might be triggering this behavior?

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

We'd likely need to set up debug and reproduce the issue to understand the root cause of it.
This will require TAC assistance.

However, adding an exception is probably the best way to ensure this issue doesn't happen again.

0 Kudos
RuneSeeker
Participant

Thank you for the reply,

Exceptions are configured in place long time ago. This issue was once-off, unexpected incident. 
It's not clear how to reproduce this incident since we don't have any possible destination or what tool or process initiated that.

Do you have any suggestions?

0 Kudos
PhoneBoy
Admin
Admin

I don't believe enough information is logged to understand what happened in this case.
Thus, we'd likely need to reproduce it in order to properly debug it.

RuneSeeker
Participant

Thanks for the assistance. We will update as more information becomes available.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events