strange traffic from Solaris systems showing up on IDS

From: Ben Tetu-Pappas (bpappas@totality.com)
Date: 10/20/01


Message-ID: <04AECA3257C58F468B7C23696A8EC9BD02E0FB03@sfosrv04.mimecom.com>
From: Ben Tetu-Pappas <bpappas@totality.com>
To: "'focus-sun@securityfocus.com'" <focus-sun@securityfocus.com>
Subject: strange traffic from Solaris systems showing up on IDS
Date: Fri, 19 Oct 2001 17:12:18 -0700

I've been seeing some traffic on one of our IDS systems that has me puzzled.
All of the hosts that generate this traffic are Ultra5 systems running
Solaris 7 or 8.

Traffic looks like this:
Source Addr: 192.168.105.239
Source Port: 38847 <---- source ports are
always above 30,000
Dest Addr: 0.0.0.0 <---- destination
address is always 0.0.0.0
Dest Port: 0 <---- destination
port is always 0
TCP/UDP: TCP <---- traffic is always
TCP
TCP Flags: rst ack <---- TCP flags are
always rst ack

As best as I can determine the only correlation that I can come up with is
that the systems that cause this traffic seem to be starting various
/usr/dt/bin/* processes when I see the traffic. So what are Solaris and/or
DT up to that create this seemingly odd traffic?

Benjamin Tetu-Pappas
Senior Security Engineer
Totality Corporation
415-402-3000