RE: UDP Port Sweep question
From: Colby DeRodeff (colby_at_arcsight.com)
Date: 12/29/04
- Previous message: Jack McCarthy: "RE: UDP Port Sweep question"
- Maybe in reply to: Billy Dodson: "UDP Port Sweep question"
- Next in thread: Francesca Smith: "Re: UDP Port Sweep question"
- Reply: Francesca Smith: "Re: UDP Port Sweep question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Dec 2004 11:18:54 -0800 To: "Billy Dodson" <billy@pmm-i.com>, <dparker@bridonsecurity.com>
There is no way to get the packet data from a cisco IDS sensor. If you
have the appliance model which runs linux, you can get tcpdump
installed. I don't think it's there by default and filter on those ip
addresses and look at the actual packets that way.
-colby
Colby DeRodeff, GCIA, GCNA
Security Engineer
ArcSight Inc.
colby@arcsight.com
www.arcsight.com
> -----Original Message-----
> From: Billy Dodson [mailto:billy@pmm-i.com]
> Sent: Wednesday, December 29, 2004 10:35 AM
> To: dparker@bridonsecurity.com
> Cc: incidents@securityfocus.com
> Subject: RE: UDP Port Sweep question
>
> Here is some more info regarding the port sweeps. The port the client
> is being hit on seems to vary. The client is being hit on the same 8
> port range from each IP port 33434-33460. All 3 sensors from the 3
> different clients show the same destination port range. The sensors
are
> cisco IDS sensors and I am unsure as to how to get the actual packet
> from the event.
>
>
> -----Original Message-----
> From: Don Parker [mailto:dparker@bridonsecurity.com]
> Sent: Tuesday, December 28, 2004 5:12 PM
> To: incidents@securityfocus.com; 'Billy Dodson'
> Subject: Re: UDP Port Sweep question
>
> Hello Billy,
>
> Might I suggest you post some of the packets here? It is hard to make
> judgement
> calls without something to look at. Just sanitize the ip's prior to
> posting the
> packets.
>
> Cheers,
>
> Don
>
> --------------------------------------------------------------
> Don Parker, GCIA GCIH
> Intrusion Detection & Incident Handling Specialist
> Bridon Security & Training Services
> http://www.bridonsecurity.com
> voice: 1-613-302-2910
> --------------------------------------------------------------
>
> On Tue, 28 Dec 2004 22:31 , 'Billy Dodson'
> <CraftedPacket@securitynerds.org> sent:
>
> >I monitor 3 different sensors which are continuously pounded with
> network
> >reconnaissance of all types. These sensors all belong to financial
> >institutions. One thing that jumped out at me are "UDP Port Sweeps"
> >events from about 15 different IP addresses which all belong to
either
> IBM
> >or Sequent (which was bought by IBM). I see these same IP addresses
> doing
> >the same thing on all three sensors. I have contacted the clients
and
> >they do not deal with IBM or Sequent in any way. Are there legitimate
> type
> >traffic
> >that would cause these events to fire? It is odd to me that I see
them
> on
> >all 3 sensors for 3 different companies but all happen to be in the
> >financial industry. Thanks in advance for your input.
>
>
>
>
>
>
- Previous message: Jack McCarthy: "RE: UDP Port Sweep question"
- Maybe in reply to: Billy Dodson: "UDP Port Sweep question"
- Next in thread: Francesca Smith: "Re: UDP Port Sweep question"
- Reply: Francesca Smith: "Re: UDP Port Sweep question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
