-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Our Cisco Secure IDS (that lives outside the firewall) is picking up some strange traffic off one of our Netscreen Firewalls. The Src addresses are the un-trusted interface addresses assigned to the Netscreen. Has any one seen something like this before? Is it a bug or am I seeing something interesting? Date Sensor Signature Sub Sig Description Severity Src Address Src Port Dst Address Dst Port 2001-10-26 08:51:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 2028 0.0.0.0 0 2001-10-26 08:55:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1610 0.0.0.0 0 2001-10-26 09:17:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1100 0.0.0.0 0 2001-10-26 09:21:20 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1058 0.0.0.0 0 2001-10-26 09:23:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1707 0.0.0.0 0 2001-10-26 09:25:23 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1133 0.0.0.0 0 2001-10-26 09:27:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1959 0.0.0.0 0 2001-10-26 10:33:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1448 0.0.0.0 0 - --------Cut-------- (other address assigned to interface) 2001-11-02 09:24:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1886 0.0.0.0 0 2001-11-02 09:54:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1197 0.0.0.0 0 2001-11-02 10:48:23 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1779 0.0.0.0 0 2001-11-02 11:29:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1152 0.0.0.0 0 2001-11-02 11:49:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1286 0.0.0.0 0 What ever it is it is not terribly fast. The dates are inconsistent in this email but they are actually occurring everyday with similar frequency. thanks, Geoff -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO+wRgnJYBcIyrSGLEQJBNgCg4BuqFioMAitq5Lk+3qTiLYk6lbwAn33p iesT5XGxthCxSARQdCQYKpaL =Zj26 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 09:47:56 PST