cancel
Showing results for 
Search instead for 
Did you mean: 

Rogue System Detection - Does sensor scan ports?

Jump to solution

Our network IDS is showing traffic coming from a couple of our hosts on UDP 31337. This port is usually assosciated with the Back Orafice trojan. The computers appear to be free of any malware. The only thing these hosts have in common are that they are Rogue System Detection sensors. I see the sensor has some OS fingerprinting functionality. Do this include doing port scans? I'm trying to determine if this could be legitimate traffic. My next step would be to do a traffic capture, but I wanted to see if anyone could confirm the sensor as a possible culprit.

1 Solution

Accepted Solutions
McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Rogue System Detection - Does sensor scan ports?

Jump to solution

Yes, the sensor will effectively do a port scan to try and identify the target device. If you don't want it to do this you can either disable OS fingerprinting, or mark the target machine as an exception and configure the sensors not to scan exceptions (as long as you have RSD 4.5.)

HTH -

Joe

3 Replies

Rogue System Detection - Does sensor scan ports?

Jump to solution

I came across KB54105. It seems to confirm there are predefined ports used by the Sensor when analyzing application traffic. This includes TCP and UDP 31337. Is this used for OS fingerprinting? If so, this is news to me.

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Rogue System Detection - Does sensor scan ports?

Jump to solution

Yes, the sensor will effectively do a port scan to try and identify the target device. If you don't want it to do this you can either disable OS fingerprinting, or mark the target machine as an exception and configure the sensors not to scan exceptions (as long as you have RSD 4.5.)

HTH -

Joe

Re: Rogue System Detection - Does sensor scan ports?

Jump to solution

Hi,

I have same problem. The Rogue sensor port scan is blocked by HIP on workstations. Is it possible to define somewhere (probably on HIP) list of rogue sensors (by MAC address or something else) to stop blocking port scans from them?

Thanks a lot.

A.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator