Jared, > I was hoping someone could tell me whether this is a misconfigured device > (perhaps) or is this activity I should be concerned with (and please keep > Nov 1 01:42:44 2U:10.1.1.1 Nov 01 2002 01:50:32: %PIX-2-106016: Deny IP > spoof from (0.0.0.0) to x.x.x.5 too bad these Pix logs don't show the attempted destination port. We have seen similar things lately, TCP/445 slow scans from 0.0.0.0. I'm not at work currently, sorry no tracefiles. Looks like some sort port 445 harvesting to me at first glance. Definitely a red bulled on my watchlist. ciao, chakl On Mon, Nov 04, 2002 at 04:27:35PM -0500, Ingersoll, Jared wrote: > any witless banter regarding my use of 'concerned with' to yourself- > thanks!). > > These are SYSLOG entries from my firewall (PIX). (the x.x.x.X are static > address on the external interface). > > -Jared > > urchin 7% grep spoof oSYSLOG ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 04 2002 - 16:09:59 PST