strange traffic from Solaris systems showing up on IDS
From: Ben Tetu-Pappas (bpappas@totality.com)Date: 10/20/01
- Previous message: Jonathan A. Zdziarski: "Chrooting daemons HOWTO"
- Next in thread: Crist J. Clark: "Re: strange traffic from Solaris systems showing up on IDS"
- Reply: Crist J. Clark: "Re: strange traffic from Solaris systems showing up on IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <04AECA3257C58F468B7C23696A8EC9BD02E0FB03@sfosrv04.mimecom.com> From: Ben Tetu-Pappas <bpappas@totality.com> To: "'focus-sun@securityfocus.com'" <focus-sun@securityfocus.com> Subject: strange traffic from Solaris systems showing up on IDS Date: Fri, 19 Oct 2001 17:12:18 -0700
I've been seeing some traffic on one of our IDS systems that has me puzzled.
All of the hosts that generate this traffic are Ultra5 systems running
Solaris 7 or 8.
Traffic looks like this:
Source Addr: 192.168.105.239
Source Port: 38847 <---- source ports are
always above 30,000
Dest Addr: 0.0.0.0 <---- destination
address is always 0.0.0.0
Dest Port: 0 <---- destination
port is always 0
TCP/UDP: TCP <---- traffic is always
TCP
TCP Flags: rst ack <---- TCP flags are
always rst ack
As best as I can determine the only correlation that I can come up with is
that the systems that cause this traffic seem to be starting various
/usr/dt/bin/* processes when I see the traffic. So what are Solaris and/or
DT up to that create this seemingly odd traffic?
Benjamin Tetu-Pappas
Senior Security Engineer
Totality Corporation
415-402-3000
- Previous message: Jonathan A. Zdziarski: "Chrooting daemons HOWTO"
- Next in thread: Crist J. Clark: "Re: strange traffic from Solaris systems showing up on IDS"
- Reply: Crist J. Clark: "Re: strange traffic from Solaris systems showing up on IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
