Security Basics mailing list archives

RE: Question about IDS events

From: "Ben Conrad" <bconrad () COSTAR com>
Date: Mon, 6 Feb 2006 09:35:43 -0500

This is probably normal if your firewall rules allow connections to you
internal hosts.  You will see external addresses on the 10.113.128.50
server when you do a 'netstat'.  If that traffic is making it to your
internal box the IDS will inspect the packets.

Ben

-----Original Message-----
From: Koolk3 [mailto:koolk3 () gmail com] 
Sent: Friday, February 03, 2006 2:49 PM
To: security-basics () securityfocus com
Subject: Question about IDS events

I am seeing external IP addresses in few events on my internal IDS.
These are mostly port/network scan type events. I am wondering what the
reason is. Instead of the firewall address why am I seeing the
originating IP? Is this due to the nature of ICMP packets or does this
result from scans like Nmap?

Thanks for your responses.

Sample events:

TCP_Port_Scan   Medium  80.67.72.208    10.113.128.50
TCP_Port_Scan   Medium  80.67.72.208    10.113.128.50
TCP_Port_Scan   Medium  80.67.72.208    10.113.128.50
TCP_Port_Scan   Medium  80.67.72.208    10.119.0.50

--
KoolK3

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Question about IDS events Koolk3 (Feb 03)
- Re: Question about IDS events Arturas Zalenekas (Feb 06)
- <Possible follow-ups>
- RE: Question about IDS events Ben Conrad (Feb 06)