07-29-2008 02:29 PM - edited 03-10-2019 04:13 AM
Hi,
Monitoring the IDM alerts show that one of the internal clients attacking outside IP addresses. Couls someone shed light on the above dynamics.
Thanks.
Said
evIdsAlert: eventId=1216735955474843112 vendor=Cisco severity=informational
originator:
hostId: ips
appName: sensorApp
appInstanceId: 406
time: Jul 29, 2008 12:50:48 UTC offset=0 timeZone=UTC
signature: description=TCP SYN Host Sweep id=3030 version=S2
subsigId: 0
marsCategory: Probe/SpecificPorts
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 192.168.1.207 locality=OUT
port: 4580
target:
addr: 66.150.11.50 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 68.180.219.138 locality=OUT
os: idSource=learned type=bsd relevance=relevant
target:
addr: 74.201.95.4 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 72.247.169.161 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 207.230.151.254 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 216.252.124.207 locality=OUT
os: idSource=learned type=bsd relevance=relevant
target:
addr: 67.228.69.100 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 208.43.2.146 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 66.196.126.101 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 69.22.167.239 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 216.73.87.152 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 12.130.60.4 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 66.94.234.72 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 216.145.50.247 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 216.252.125.76 locality=OUT
os: idSource=learned type=bsd relevance=relevant
target:
addr: 209.131.37.77 locality=OUT
os: idSource=learned type=bsd relevance=relevant
alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ;
riskRatingValue: 31 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 31
interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1
protocol: tcp
07-30-2008 09:03 AM
A host sweep does not equal an attack. We don't have the destination port here so this could simply be outbound web traffic from a proxy server or outbound mail traffic from your mail server. Perform a packet display on the sensor to see what connections the above IP is making (look at the destination port) and also look for other events with this same source.
08-06-2008 09:25 AM
Hi,
I had the exact same issue going on at my location, and there were two causes.
One was that we had a bluecoat proxy, which uses multiple ports to refresh its website cache, and for new requests.
The other cause was a machine that was infested with spyware.
If it is a users machine, I would suggest downloading the Sysinternals Suite from Microsoft, and doing a PSLOGGEDON \\
Jason
08-06-2008 10:05 AM
Jason,
Thanks.
Said
08-06-2008 10:29 AM
Jason,
I downloaded and unzipped Sysinternals Suite. Wwhere do I type in PSLOGGEDON \\
08-06-2008 12:38 PM
I ran a spyware program on machines that "attcked" outside IPs There were mo spyware found.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide