Security Incidents mailing list archives
Re: Strange TCP Sweep to 0.0.0.0
From: "jared mc" <bugtraqlist () hotmail com>
Date: Tue, 13 Nov 2001 10:04:37 -0600
We have found the same thing with our Cisco IDS systems. I was able to recreate this 0.0.0.0 bug when I would use Nmap SYN scans to browse through our network. The data was sent into Cisco and I believe they knew it was a bug with their latest update. I have no idea if/when a bug fix will be released :)
-Jared
From: "Geoff Poer" <gpoer () tick Telcom Arizona EDU> Reply-To: <gpoer () tick telcom arizona edu> To: <incidents () securityfocus com> Subject: Strange TCP Sweep to 0.0.0.0 Date: Fri, 9 Nov 2001 10:34:30 -0700 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Our Cisco Secure IDS (that lives outside the firewall) is picking up some strange traffic off one of our Netscreen Firewalls. The Src addresses are the un-trusted interface addresses assigned to the Netscreen. Has any one seen something like this before? Is it a bug or am I seeing something interesting? Date Sensor Signature Sub Sig Description Severity Src Address Src Port Dst Address Dst Port 2001-10-26 08:51:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 2028 0.0.0.0 0 2001-10-26 08:55:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1610 0.0.0.0 0 2001-10-26 09:17:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1100 0.0.0.0 0 2001-10-26 09:21:20 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1058 0.0.0.0 0 2001-10-26 09:23:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1707 0.0.0.0 0 2001-10-26 09:25:23 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1133 0.0.0.0 0 2001-10-26 09:27:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1959 0.0.0.0 0 2001-10-26 10:33:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1448 0.0.0.0 0 - --------Cut-------- (other address assigned to interface) 2001-11-02 09:24:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1886 0.0.0.0 0 2001-11-02 09:54:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1197 0.0.0.0 0 2001-11-02 10:48:23 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1779 0.0.0.0 0 2001-11-02 11:29:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1152 0.0.0.0 0 2001-11-02 11:49:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1286 0.0.0.0 0 What ever it is it is not terribly fast. The dates are inconsistent in this email but they are actually occurring everyday with similar frequency. thanks, Geoff -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO+wRgnJYBcIyrSGLEQJBNgCg4BuqFioMAitq5Lk+3qTiLYk6lbwAn33p iesT5XGxthCxSARQdCQYKpaL =Zj26 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange TCP Sweep to 0.0.0.0 Geoff Poer (Nov 09)
- <Possible follow-ups>
- Re: Strange TCP Sweep to 0.0.0.0 jared mc (Nov 13)