Here is some more info regarding the port sweeps. The port the client
is being hit on seems to vary. The client is being hit on the same 8
port range from each IP port 33434-33460. All 3 sensors from the 3
different clients show the same destination port range. The sensors are
cisco IDS sensors and I am unsure as to how to get the actual packet
from the event.
-----Original Message-----
From: Don Parker [mailto:dparker@bridonsecurity.com]
Sent: Tuesday, December 28, 2004 5:12 PM
To: incidents@securityfocus.com; 'Billy Dodson'
Subject: Re: UDP Port Sweep question
Hello Billy,
Might I suggest you post some of the packets here? It is hard to make
judgement
calls without something to look at. Just sanitize the ip's prior to
posting the
packets.
Cheers,
Don
--------------------------------------------------------------
Don Parker, GCIA GCIH
Intrusion Detection & Incident Handling Specialist
Bridon Security & Training Services
http://www.bridonsecurity.com
voice: 1-613-302-2910
--------------------------------------------------------------
On Tue, 28 Dec 2004 22:31 , 'Billy Dodson'
<CraftedPacket@securitynerds.org> sent:
I monitor 3 different sensors which are continuously pounded with
network
reconnaissance of all types. These sensors all belong to financial
institutions. One thing that jumped out at me are "UDP Port Sweeps"
events from about 15 different IP addresses which all belong to either
IBM
or Sequent (which was bought by IBM). I see these same IP addresses
doing
the same thing on all three sensors. I have contacted the clients and
they do not deal with IBM or Sequent in any way. Are there legitimate
type
traffic
that would cause these events to fire? It is odd to me that I see them
on
all 3 sensors for 3 different companies but all happen to be in the
financial industry. Thanks in advance for your input.
