Sysscan Scanner Request

Question

Got a complaint from our boss about a web attack that was blocked by symantec IPS but wasn't blocked by ASM. Checked the specific policy and as far as I know all possible scan/scanner signatures (16 sigs) are in blocking mode and the sigs were updated just a few days ago.&nbsp;
I need to find out if there is a sig that correlates with the symantec IPS sig or not, and if not - is there a sig on the way. Alternatively, is there a different way to prevent this attack from F5?&nbsp;
This is the Symantec IPS reference:
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30309&nbsp;
Thanks,&nbsp;
Vered&nbsp;

samstep · Answer

Sysscan/masscan is a very fast TCP port scanner not a URL scanner, hence ASM is not capable of detecting it, but it is already protecting your websites because what F5 is very good at is dropping packets on ports it is not listening on. If sysscans does hit ports 80/443 then F5 LTM will simply reset the connection without any impact on the backend application. You can tell your boss to relax as this was not a web attack, buct a port scanner. Pretty simple to block on the upstream network firewall as well..

Forum Discussion

Sysscan Scanner Request

1 Reply

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Reviewing vulnerability scanner results for an APM protected Virtual Server - part two

Logging DNS Requests

Distributed caching of authentication requests with NGINX Ingress Controller

Nessus 6 XSLT Conversion for ASM Generic Scanner Import