Security Incidents mailing list archives
RE: UDP Port Sweep question
From: "Colby DeRodeff" <colby () arcsight com>
Date: Wed, 29 Dec 2004 11:18:54 -0800
There is no way to get the packet data from a cisco IDS sensor. If you have the appliance model which runs linux, you can get tcpdump installed. I don't think it's there by default and filter on those ip addresses and look at the actual packets that way. -colby Colby DeRodeff, GCIA, GCNA Security Engineer ArcSight Inc. colby () arcsight com www.arcsight.com
-----Original Message----- From: Billy Dodson [mailto:billy () pmm-i com] Sent: Wednesday, December 29, 2004 10:35 AM To: dparker () bridonsecurity com Cc: incidents () securityfocus com Subject: RE: UDP Port Sweep question Here is some more info regarding the port sweeps. The port the client is being hit on seems to vary. The client is being hit on the same 8 port range from each IP port 33434-33460. All 3 sensors from the 3 different clients show the same destination port range. The sensors
are
cisco IDS sensors and I am unsure as to how to get the actual packet from the event. -----Original Message----- From: Don Parker [mailto:dparker () bridonsecurity com] Sent: Tuesday, December 28, 2004 5:12 PM To: incidents () securityfocus com; 'Billy Dodson' Subject: Re: UDP Port Sweep question Hello Billy, Might I suggest you post some of the packets here? It is hard to make judgement calls without something to look at. Just sanitize the ip's prior to posting the packets. Cheers, Don -------------------------------------------------------------- Don Parker, GCIA GCIH Intrusion Detection & Incident Handling Specialist Bridon Security & Training Services http://www.bridonsecurity.com voice: 1-613-302-2910 -------------------------------------------------------------- On Tue, 28 Dec 2004 22:31 , 'Billy Dodson' <CraftedPacket () securitynerds org> sent:I monitor 3 different sensors which are continuously pounded withnetworkreconnaissance of all types. These sensors all belong to financial institutions. One thing that jumped out at me are "UDP Port Sweeps" events from about 15 different IP addresses which all belong to
either
IBMor Sequent (which was bought by IBM). I see these same IP addressesdoingthe same thing on all three sensors. I have contacted the clients
and
they do not deal with IBM or Sequent in any way. Are there legitimatetypetraffic that would cause these events to fire? It is odd to me that I see
them
onall 3 sensors for 3 different companies but all happen to be in the financial industry. Thanks in advance for your input.
Current thread:
- UDP Port Sweep question Billy Dodson (Dec 28)
- Re: UDP Port Sweep question Tim (Dec 29)
- Re: UDP Port Sweep question Kyle Maxwell (Dec 29)
- Re: UDP Port Sweep question Ron (Dec 29)
- <Possible follow-ups>
- Re: UDP Port Sweep question Don Parker (Dec 29)
- RE: UDP Port Sweep question Billy Dodson (Dec 29)
- RE: UDP Port Sweep question David Gillett (Dec 29)
- Re: UDP Port Sweep question Tim (Dec 29)
- RE: UDP Port Sweep question Jack McCarthy (Dec 29)
- RE: UDP Port Sweep question Benjamin Franz (Dec 29)
- RE: UDP Port Sweep question Colby DeRodeff (Dec 29)
- Re: UDP Port Sweep question Francesca Smith (Dec 30)