Security Basics mailing list archives

Re: Question about IDS events

From: "Arturas Zalenekas" <security () zalenekas net>
Date: Mon, 6 Feb 2006 00:54:21 +0100 (CET)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi KoolK3,

there could be a lot of reasons. But it is most possible, that your IDS is
behind your firewall. If youd like to know more, please tell us more about
your topology. Where is your FW, IDS. Is your IDS working in bridged mode
!? Have you a hub or switch. Etc.

Kind regards,
Arturas Zalenekas
Network Security Engineer and Analyst

On Fri, February 3, 2006 20:49, Koolk3 wrote:

I am seeing external IP addresses in few events on my internal IDS.
These are mostly port/network scan type events. I am wondering what
the reason is. Instead of the firewall address why am I seeing the
originating IP? Is this due to the nature of ICMP packets or does this
result from scans like Nmap?

Thanks for your responses.

Sample events:

TCP_Port_Scan Medium  80.67.72.208    10.113.128.50
TCP_Port_Scan Medium  80.67.72.208    10.113.128.50
TCP_Port_Scan Medium  80.67.72.208    10.113.128.50
TCP_Port_Scan Medium  80.67.72.208    10.119.0.50

--
KoolK3

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD5pAsRNnenGjQKnsRApnnAJ4nfkjr6DCcMa3fRpFl5DT99zwj5ACeN1EI
R7WSsTZTT0juoWbOjxWntQw=
=AdpQ
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Question about IDS events Koolk3 (Feb 03)
- Re: Question about IDS events Arturas Zalenekas (Feb 06)
- <Possible follow-ups>
- RE: Question about IDS events Ben Conrad (Feb 06)