RE: Question about IDS events



This is probably normal if your firewall rules allow connections to you
internal hosts. You will see external addresses on the 10.113.128.50
server when you do a 'netstat'. If that traffic is making it to your
internal box the IDS will inspect the packets.

Ben

-----Original Message-----
From: Koolk3 [mailto:koolk3@xxxxxxxxx]
Sent: Friday, February 03, 2006 2:49 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Question about IDS events

I am seeing external IP addresses in few events on my internal IDS.
These are mostly port/network scan type events. I am wondering what the
reason is. Instead of the firewall address why am I seeing the
originating IP? Is this due to the nature of ICMP packets or does this
result from scans like Nmap?

Thanks for your responses.

Sample events:

TCP_Port_Scan Medium 80.67.72.208 10.113.128.50
TCP_Port_Scan Medium 80.67.72.208 10.113.128.50
TCP_Port_Scan Medium 80.67.72.208 10.113.128.50
TCP_Port_Scan Medium 80.67.72.208 10.119.0.50

--
KoolK3

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • RE: Windows Log
    ... > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... > The Norwich University program offers unparalleled Infosec management ... > education and the case study affords you unmatched consulting experience. ... > Computer Emergency Response Teams, ...
    (Security-Basics)
  • RE: Re: University Degree or CISSP
    ... Subject: Re: Re: University Degree or CISSP ... > And a college education will benefit you until the day you die. ... >> Planning, Computer Emergency Response Teams, and Digital Investigations. ... >> The Norwich University program offers unparalleled Infosec management ...
    (Security-Basics)
  • Re: Securing Blackberries
    ... > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... > The Norwich University program offers unparalleled Infosec management ... > Tailor your education to your own professional goals with degree ... > Computer Emergency Response Teams, ...
    (Security-Basics)
  • Re: Windows Log
    ... >> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... >> The Norwich University program offers unparalleled Infosec management ... >> education and the case study affords you unmatched consulting experience. ... >> Computer Emergency Response Teams, ...
    (Security-Basics)
  • Re: Securing Blackberries
    ... > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... > The Norwich University program offers unparalleled Infosec management ... > Tailor your education to your own professional goals with degree ... > Computer Emergency Response Teams, ...
    (Security-Basics)