How to identify the port which was used by attacker using SEPM
Updated: 05 Jun 2010 | 6 comments
This issue has been solved. See solution.
Hi There,
Do anyone over there has overcome this situation whereby, few of my desktops showing a symantec pop-up consist of an public IP address was blocked on the particular date and time.
There are are very frequent. In the View Logs >> Client Management >> Security Log , I can view the details of the attacker whom attack the system(details as below)
so far but what I want to the most is the incoming port that was used by the attacker.Anyone has any idea? Please help.
"Denial of Service "Jolt2 Attack" attack detected.
Description:
Jolt2 attacker floods illegally fragmented ICMP or UDP packets into your computer and causes your CPU utilization to be 100%"
Thanking in advance,
m_k
Discussion Filed Under:
Comments
firewall rule
Hello m_k,
Create a new firewall rule. Rule is from internal to external. and choice create log. and assign to user. Therefore firewall will log everything incoming and outgoing. Than you can see which port used.
Best Regards.
Fatih
Everything works better when everything works together.
Firewall Rule & Network Threat Protection
Hi Fatih,
Thanks for your reply, how to do the rule? i never done this before.Could you guide me on this please, and also i cant see any log on the network threat protection its empty and i dont know why?Any other way to check the log?
Thanking in advance.
m_k
I don't think SEPM can give
I don't think SEPM can give you the information about the ports.You can add this as an idea in the Idea section.
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
And Wireshark
Hello k_m
I forgot to write you can use wireshark too.
And there is a picture below for ports.
Best Regards.
Fatih
Everything works better when everything works together.
Firewall Rule
Hello again,
In the Sep Manager Choice Policies>Firewall Policy> Create new Rule.
Choice Blank Rule.
When you create rule move it first line. and choice Log. (you can see picture below)
Than Assign the policy to user which you want to follow.
Update Client policy and open user log file in Sep Cleint.
Regards.
Fatih
Everything works better when everything works together.
Please note you will want to
Please note you will want to only temporarily use this logging policy. I know from experience as this amount of logging will spike the CPU utilization and disk I/O.
Would you like to reply?
Login or Register to post your comment.