Nmap UDP Port Sweep

sagittarius · ‎06-18-2007

Hi,

We are getting some events on IPS for Nmap UDP Port Sweep (Signature - 4003). Attacker shows an external address, what can I do for this alert, what actions can I take?

mhellman · ‎06-18-2007

Generally, even if it's legitimate it's not something to worry about. More than likely though, it's just return traffic. Please provide the source and destination ports.

sagittarius · ‎06-19-2007

Destination Port # changes from udp/356,357,358,361,367,359,500 however the attacker port remains the same (500 or 137)

mhellman · ‎06-19-2007

udp 500 and 137 are both well known udp ports (isakmp and netbios-ns), so there's a good chance this is udp reply traffic to a know port. Are the source IP addresses internal? Are the destination IP addresses internal?

sagittarius · ‎06-19-2007

yes source IP is internal and destination is external.

mhellman · ‎06-19-2007

I've confused myself. to clarify:

SOURCE IP:PORT = :356,357,500,etc

DESTINATION IP:PORT = :137,500

Is that right?

sagittarius · ‎06-19-2007

No,

Source Port :: 137,500

Destination Port: : 356,357,500

mhellman · ‎06-19-2007

I guess I'm missing something. attacker = source ip unless "swap attacker victim" is selected, which it isn't by default for this sig.