RE: SCAN myscan (ID# 613)

["Ted Rohling" <ted.rohling () instructors net>]

Cisco docs say that the PIX is trying to talk to an N2H2 server or a
websense server on the windows box.  Essentially these services are used for
URL filtering.  You might want to check the config on the PIX to see if the
url-server parameter has been set.  It requires the use of a specific IP
address so it really isn't multicasting...or shouldn't be.
 
HYPERLINK
"http://www.n2h2.com/pdf/cisco_pix_config.pdf"http://www.n2h2.com/pdf/cisco_
pix_config.pdf
 
 

   _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ron Jenkins
Sent: Wednesday, January 12, 2005 7:49 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] SCAN myscan (ID# 613)



I see this alert once a day from a Cisco Pix to the same Windows server.
Does anyone have an idea why this may be getting triggered?

 

Thanks…

 


IP Header

 

 


Source IP:

???.???.???.???

 


Destination IP:

???.???.???.???

 


Protocol:

TCP

 


Time To Live:

255

 


Checksum:

54513

 


 

 

 


TCP Header

 

 


Source Port:

10101

 


Destination Port:

4005

 


Sequence Number:

383247798

 


Ack Number:

0

 


Window:

4096

 


Offset:

6

 


Checksum:

16047

 


Flags:

URG: 0 ACK: 0 PSH: 0 RST: 0 SYN: 0 FIN: 0

 


Flags Description:

NULL Packet (reserved bit 2 active)

 

 

 

Ron Jenkins (MCNE, CNE6, MCP, CCNA, CCEA) 
Senior Architect 
Data Integrity, LLC 
"We Integrate People with Solutions" 
1724 Dallas Drive 
Suite 11 
Baton Rouge, La 70806 
Office. 225.927.8030 
Fax. 225.927.8033 
Cell225.931.1632 
Email. rjenkins () dibr net 
Web. www.dibr.net 

 


--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.10 - Release Date: 1/10/2005



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.10 - Release Date: 1/10/2005