I believe that my SonicWALL XPRS2 (all firewalls?) is identifying attacks simply by the port being accessed. I was trying to troubleshoot an irritating little problem with Exchange Server and ended up doing some port scans on my servers, then checking the alerts being sent by the SonicWALL. When the scan tool probed a port that is commonly used by a given attack (i.e., NetBus commonly uses ports 12345, and 12346), I would check my email remotely and sure enough the XPRS2 had sent an alert saying it had dropped a NetBus attack. I ran three different scans (with different scan tools) with the same results. The problem I have with this is that I know for a fact that many tools allow the attacker to change the default port. If all the SonicWALL is using as identification is the port, how will it identify an attack coming in on a non-default port? Is this the method used by most firewalls? I guess I had not thought much about it, but had I, I would have assumed that there was a more sophisticated method being used; although I do realize that there is probably no way to know just what program is probing a given port.
Jim Grossl Lee Pesky Learning Center Boise, Idaho USA
