07-19-2007 01:07 PM - edited 03-09-2019 06:26 PM
We have a server that keeps kicking alerts to our intrusion detection system.
The alert is showing that the CSA server is polling the server on UDP port 0 and the IDS system says this is an invalid port.
The originating port on the CSA server is random.
Is there any reason for CSA to be polling a server on port 0?
This is the only error we are getting like this.
Does anyone have an idea as to what this may be?
07-19-2007 02:33 PM
If you are seeing the alerts on the IPS with a port of 0, you are actually seeing the sensor summarize events. If you change the firing signature to "Fire All", you will see the true port.
Cheers.
Jay
07-19-2007 03:24 PM
Thanks for the reply.
Since I know nothing about the IDS, how would this be changed and is it something that is easy to do?
07-19-2007 03:46 PM
You have to edit the signature configuration for that particular signature. Then look for the summarization parameters.... Change it to Fire All.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: