Snort mailing list archives
RE: SCAN myscan (ID# 613)
From: "Ted Rohling" <ted.rohling () instructors net>
Date: Wed, 12 Jan 2005 17:15:42 -0600
Cisco docs say that the PIX is trying to talk to an N2H2 server or a websense server on the windows box. Essentially these services are used for URL filtering. You might want to check the config on the PIX to see if the url-server parameter has been set. It requires the use of a specific IP address so it really isn't multicasting...or shouldn't be. HYPERLINK "http://www.n2h2.com/pdf/cisco_pix_config.pdf"http://www.n2h2.com/pdf/cisco_ pix_config.pdf _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ron Jenkins Sent: Wednesday, January 12, 2005 7:49 AM To: snort-users () lists sourceforge net Subject: [Snort-users] SCAN myscan (ID# 613) I see this alert once a day from a Cisco Pix to the same Windows server. Does anyone have an idea why this may be getting triggered? Thanks… IP Header Source IP: ???.???.???.??? Destination IP: ???.???.???.??? Protocol: TCP Time To Live: 255 Checksum: 54513 TCP Header Source Port: 10101 Destination Port: 4005 Sequence Number: 383247798 Ack Number: 0 Window: 4096 Offset: 6 Checksum: 16047 Flags: URG: 0 ACK: 0 PSH: 0 RST: 0 SYN: 0 FIN: 0 Flags Description: NULL Packet (reserved bit 2 active) Ron Jenkins (MCNE, CNE6, MCP, CCNA, CCEA) Senior Architect Data Integrity, LLC "We Integrate People with Solutions" 1724 Dallas Drive Suite 11 Baton Rouge, La 70806 Office. 225.927.8030 Fax. 225.927.8033 Cell225.931.1632 Email. rjenkins () dibr net Web. www.dibr.net -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.10 - Release Date: 1/10/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.10 - Release Date: 1/10/2005
Current thread:
- SCAN myscan (ID# 613) Ron Jenkins (Jan 12)
- RE: SCAN myscan (ID# 613) Ted Rohling (Jan 12)