Hi,
We have some nat rules in our UTM SG310.
Today when I was watching the IPS logs came accross this:
2019:06:07-06:57:09 securitysrv1-2 snort[18296]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt" group="110" srcip="185.156.177.242" dstip="10.0.10.221" proto="6" srcport="54007" dstport="18111" sid="49040" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
What I dont understand is Port 18111 is not being used for the Windows TS, but this port is beeing used to view some xml files on 10.0.10.221
I thought maybe someone from the source IP try to open the RDP by using port 18111 and that is why it get logged, but it was not the case.
So port 18111 is opened, there is application on 10.0.10.221 that us this port. Why IPS think this connection is for Windows TS and drop it?
Any suggestion?
Thanks
This thread was automatically locked due to age.