Sysscan Scanner Request

Question

Got a complaint from our boss about a web attack that was blocked by symantec IPS but wasn't blocked by ASM. Checked the specific policy and as far as I know all possible scan/scanner signatures (16 sigs) are in blocking mode and the sigs were updated just a few days ago.&nbsp;
I need to find out if there is a sig that correlates with the symantec IPS sig or not, and if not - is there a sig on the way. Alternatively, is there a different way to prevent this attack from F5?&nbsp;
This is the Symantec IPS reference:
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30309&nbsp;
Thanks,&nbsp;
Vered&nbsp;

samstep · Answer

Sysscan/masscan is a very fast TCP port scanner not a URL scanner, hence ASM is not capable of detecting it, but it is already protecting your websites because what F5 is very good at is dropping packets on ports it is not listening on. If sysscans does hit ports 80/443 then F5 LTM will simply reset the connection without any impact on the backend application. You can tell your boss to relax as this was not a web attack, buct a port scanner. Pretty simple to block on the upstream network firewall as well..

Forum Discussion

Sysscan Scanner Request

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

BotPoke Scanner Switches IP

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Reviewing vulnerability scanner results for an APM protected Virtual Server - part two

Logging DNS Requests

SteganoAmor, Fake IP Scanner, MITRE Corporation Breach - April 14-20, 2024 - This Week in Security

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS