|
-
June 9th, 2004, 03:08 PM
#21
Originally posted here by AngelicKnight
Ports scanned are: 1183, 1184, 1185, 1186, 1187, 1105, 1104, 1106, 1107 and 1108.
These look alot like source ports to me. Imagine the following scenario:
You have say 10 users that go to an SSL site. This SSL site has a server certificate signed by verisign. Every user verifies this certificate. If this happens fast enough and if your portscan threshold is too low the firewall will think it's a portscan.
During that same time frame, I'm receiving fraudulent Microsoft Certificates from the same IP that are being blocked by the firewall.
Why do you think they're fraudulent and why is your firewall blocking certificates?
If we build on the scenario above could it be one of those PC's tries to verify a verisign signed certificate. The response gets blocked by your firewall. Client tries this a couple of times (hence the ascending portnumbers). Firewall thinks it's a portscan.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 9th, 2004, 03:14 PM
#22
I don't know how they are determined as fraudulent, they are just described as such by the SonicWALL log. Thanks SirDice.
-
June 9th, 2004, 03:51 PM
#23
http://www.dslreports.com/faq/7998Q: Why is my computer trying to contact crl.verisign.net? (#7998)
A: "CRL" is a "Certificate Revocation List", and it's a list of SSL web security certificates that should no longer be trusted. These could have expired, been stolen, or otherwise removed from service, and it's part of a security infrastructure supported by Verisign. Your system is merely trying to get the latest list of revoked certificates so it won't accept them as "valid" any longer. The activity is innocuous and won't hurt anything. You trust Verisign for a lot more than this every day.
It is dumb, however, that visiting crl.verisign.net brings up a list of files whose purpose is not obvious: it raises many more questions than it answers. Many of us believe they ought to put up an "index.html" page that describes why the server there.
Sure its just not your network trying to do this?The possible ip spoof bit seems interesting hmm...
-
June 9th, 2004, 03:58 PM
#24
It could be, but I have no idea how to find out. Also, the link for the FAQ came up as invalid. Thanks.
-
June 10th, 2004, 08:56 AM
#25
Originally posted here by therenegade
It is dumb, however, that visiting crl.verisign.net brings up a list of files whose purpose is not obvious: it raises many more questions than it answers. Many of us believe they ought to put up an "index.html" page that describes why the server there.
It's supposed to do that. A CRL is usually checked by a program not a person. Then a list is alot simpler to process.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 10th, 2004, 03:13 PM
#26
Verisign says that it's just us trying to check on our invalid certificates with their CRL list (or something like that anyway), so the port scans are normal.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
