cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
319
Views
5
Helpful
3
Replies

CS-MARS 5.3.x and Top Destination Port "0"?

brobinson
Level 1
Level 1

Hi -

We have a CS-MARS just installed and in the Dashboard under "Activity - All Events and NewFlow - Top Destination Ports", it lists the top port as "0". What is this and why is it doing it?

It is almost double what TCP/80 is. When I run a report, there is no source address, and if I look at the events it is from our PIX about tearing down connections and such?

3 Replies 3

hadbou
Level 5
Level 5

Destination Port Ranking : Returns destination ports. Ranked by either number of sessions with that destination port or by bytes transmitted in sessions that contain events that meet the query criteria.

Refer the following url for more info on "top destination port "0"":

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/global_controller/q_report.html#wp1048282

Activity: Network Usage - Top Destination Ports: This report ranks destination ports by number of network sessions. This report requires that the syslog level of routers or firewalls be set to high to be able to capture session events. This report provides a general usage pattern of the network.

martinv2008
Level 1
Level 1

connections to tcp port 0 are usually used for Operating Systems fingerprinting, and could mean scans are undergoing. Probably there's malware in the computers on your network (as most networks).

You should block everything in your Firewalls, and only allow the tcp ports needed, you can confirm the tcp port 0 connections were blocked checking the path graph of those incidents. Move the mouse over the lines in the path graph and check if the path turns red until reaching the internet or if it stops at your firewalls.

Check this:

http://www.grc.com/port_0.htm

http://www.networkpenetration.com/port0.html

Thanks for the replies.

I worked with TAC and it is b/c the PIX is sending SYSLOG level "debug" to the CS-MARS and everything it cannot classify is in "0"... This includes ICMP, xlation build/teardown, etc; unfortunately, CS-MARS needs those for sessionization according to the documentation, so they have to come in.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: