Nmap UDP Port Sweep

Unanswered Question
Jun 18th, 2007
User Badges:

Hi,

We are getting some events on IPS for Nmap UDP Port Sweep (Signature - 4003). Attacker shows an external address, what can I do for this alert, what actions can I take?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mhellman Mon, 06/18/2007 - 14:26
User Badges:
  • Blue, 1500 points or more

Generally, even if it's legitimate it's not something to worry about. More than likely though, it's just return traffic. Please provide the source and destination ports.

sagittarius Tue, 06/19/2007 - 09:40
User Badges:

Destination Port # changes from udp/356,357,358,361,367,359,500 however the attacker port remains the same (500 or 137)



mhellman Tue, 06/19/2007 - 09:50
User Badges:
  • Blue, 1500 points or more

udp 500 and 137 are both well known udp ports (isakmp and netbios-ns), so there's a good chance this is udp reply traffic to a know port. Are the source IP addresses internal? Are the destination IP addresses internal?

sagittarius Tue, 06/19/2007 - 10:09
User Badges:

yes source IP is internal and destination is external.

mhellman Tue, 06/19/2007 - 10:16
User Badges:
  • Blue, 1500 points or more

I've confused myself. to clarify:


SOURCE IP:PORT = :356,357,500,etc

DESTINATION IP:PORT = :137,500


Is that right?

sagittarius Tue, 06/19/2007 - 10:34
User Badges:

No,


Source Port :: 137,500

Destination Port: : 356,357,500

mhellman Tue, 06/19/2007 - 10:42
User Badges:
  • Blue, 1500 points or more

I guess I'm missing something. attacker = source ip unless "swap attacker victim" is selected, which it isn't by default for this sig.

Actions

This Discussion