Re: UDP Port Sweep question
From: Francesca Smith (fsmith_at_ladylinux.com)
Date: 12/30/04
- Previous message: Colby DeRodeff: "RE: UDP Port Sweep question"
- In reply to: Colby DeRodeff: "RE: UDP Port Sweep question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Dec 2004 01:23:16 -0500 To: "Colby DeRodeff" <colby@arcsight.com>
Hello,
This may be nothing .. But I have a HIDS running on my firewall .. I
was working on a web server just a bit ago ..
And the server echoed back a scan .. I suspect this server is hacked by
the php.injection worm ... Very very strange
I will look around my snort network tap device and see if I can snag
one of these packets ..
> =-=-=-=-=-=-=-=-=-=-=-= Thu Dec 30 00:21:36 2004
> =-=-=-=-=-=-=-=-=-=-=-=
> ** psad: Suspicious traffic detected against xx.xxx.xxx.xxx (My
> Firewall)
>
>
> Danger level: [2] (out of 5)
>
> Scanned udp ports: [33474-33486: 13 packets, Nmap: -sU]
> Iptables chain: INPUT (prefix "Shorewall:net2all:DROP:"), 13
> packets
Francesca
Lady Linux Internet Services
On Dec 29, 2004, at 2:18 PM, Colby DeRodeff wrote:
> There is no way to get the packet data from a cisco IDS sensor. If you
> have the appliance model which runs linux, you can get tcpdump
> installed. I don't think it's there by default and filter on those ip
> addresses and look at the actual packets that way.
>
> -colby
>
> Colby DeRodeff, GCIA, GCNA
> Security Engineer
> ArcSight Inc.
> colby@arcsight.com
> www.arcsight.com
>
>> -----Original Message-----
>> From: Billy Dodson [mailto:billy@pmm-i.com]
>> Sent: Wednesday, December 29, 2004 10:35 AM
>> To: dparker@bridonsecurity.com
>> Cc: incidents@securityfocus.com
>> Subject: RE: UDP Port Sweep question
>>
>> Here is some more info regarding the port sweeps. The port the client
>> is being hit on seems to vary. The client is being hit on the same 8
>> port range from each IP port 33434-33460. All 3 sensors from the 3
>> different clients show the same destination port range. The sensors
> are
>> cisco IDS sensors and I am unsure as to how to get the actual packet
>> from the event.
>>
>>
>> -----Original Message-----
>> From: Don Parker [mailto:dparker@bridonsecurity.com]
>> Sent: Tuesday, December 28, 2004 5:12 PM
>> To: incidents@securityfocus.com; 'Billy Dodson'
>> Subject: Re: UDP Port Sweep question
>>
>> Hello Billy,
>>
>> Might I suggest you post some of the packets here? It is hard to make
>> judgement
>> calls without something to look at. Just sanitize the ip's prior to
>> posting the
>> packets.
>>
>> Cheers,
>>
>> Don
>>
>> --------------------------------------------------------------
>> Don Parker, GCIA GCIH
>> Intrusion Detection & Incident Handling Specialist
>> Bridon Security & Training Services
>> http://www.bridonsecurity.com
>> voice: 1-613-302-2910
>> --------------------------------------------------------------
>>
>> On Tue, 28 Dec 2004 22:31 , 'Billy Dodson'
>> <CraftedPacket@securitynerds.org> sent:
>>
>>> I monitor 3 different sensors which are continuously pounded with
>> network
>>> reconnaissance of all types. These sensors all belong to financial
>>> institutions. One thing that jumped out at me are "UDP Port Sweeps"
>>> events from about 15 different IP addresses which all belong to
> either
>> IBM
>>> or Sequent (which was bought by IBM). I see these same IP addresses
>> doing
>>> the same thing on all three sensors. I have contacted the clients
> and
>>> they do not deal with IBM or Sequent in any way. Are there legitimate
>> type
>>> traffic
>>> that would cause these events to fire? It is odd to me that I see
> them
>> on
>>> all 3 sensors for 3 different companies but all happen to be in the
>>> financial industry. Thanks in advance for your input.
>>
>>
>>
>>
>>
>>
>
>
>
- Previous message: Colby DeRodeff: "RE: UDP Port Sweep question"
- In reply to: Colby DeRodeff: "RE: UDP Port Sweep question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
