We have found the same thing with our Cisco IDS systems. I was able to recreate this 0.0.0.0 bug when I would use Nmap SYN scans to browse through our network. The data was sent into Cisco and I believe they knew it was a bug with their latest update. I have no idea if/when a bug fix will be released :) -Jared >From: "Geoff Poer" <gpoerat_private> >Reply-To: <gpoerat_private> >To: <incidentsat_private> >Subject: Strange TCP Sweep to 0.0.0.0 >Date: Fri, 9 Nov 2001 10:34:30 -0700 > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Our Cisco Secure IDS (that lives outside the firewall) is picking up >some strange traffic off one of our Netscreen Firewalls. The Src >addresses are the un-trusted interface addresses assigned to the >Netscreen. Has any one seen something like this before? Is it a bug >or am I seeing something interesting? > >Date Sensor Signature Sub Sig Description Severity Src Address Src >Port Dst Address Dst Port >2001-10-26 08:51:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 2028 >0.0.0.0 0 >2001-10-26 08:55:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1610 >0.0.0.0 0 >2001-10-26 09:17:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1100 >0.0.0.0 0 >2001-10-26 09:21:20 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1058 >0.0.0.0 0 >2001-10-26 09:23:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1707 >0.0.0.0 0 >2001-10-26 09:25:23 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1133 >0.0.0.0 0 >2001-10-26 09:27:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1959 >0.0.0.0 0 >2001-10-26 10:33:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1448 >0.0.0.0 0 >- --------Cut-------- > >(other address assigned to interface) >2001-11-02 09:24:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1886 >0.0.0.0 0 >2001-11-02 09:54:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1197 >0.0.0.0 0 >2001-11-02 10:48:23 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1779 >0.0.0.0 0 >2001-11-02 11:29:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1152 >0.0.0.0 0 >2001-11-02 11:49:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1286 >0.0.0.0 0 > >What ever it is it is not terribly fast. The dates are inconsistent >in this email but they are actually occurring everyday with similar >frequency. > >thanks, >Geoff > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > >iQA/AwUBO+wRgnJYBcIyrSGLEQJBNgCg4BuqFioMAitq5Lk+3qTiLYk6lbwAn33p >iesT5XGxthCxSARQdCQYKpaL >=Zj26 >-----END PGP SIGNATURE----- > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 08:16:13 PST