I came across KB54105. It seems to confirm there are predefined ports used by the Sensor when analyzing application traffic. This includes TCP and UDP 31337. Is this used for OS fingerprinting? If so, this is news to me.
Yes, the sensor will effectively do a port scan to try and identify the target device. If you don't want it to do this you can either disable OS fingerprinting, or mark the target machine as an exception and configure the sensors not to scan exceptions (as long as you have RSD 4.5.)
I have same problem. The Rogue sensor port scan is blocked by HIP on workstations. Is it possible to define somewhere (probably on HIP) list of rogue sensors (by MAC address or something else) to stop blocking port scans from them?
Thanks a lot.