Cisco IEV v4.0(1)S37
Cisco IDS v4.0(2)S47
Cisco PIX v6.2(2)
A "TCP Upper Port Sweep" popped up on IEV today showing our webserver as the Source Address. After checking the PIX log, I find that IEV has the wrong source and destination addresses listed.
According to the PIX syslog, our webserver was the destination address. Here is a sample of the log:
WTsyslog[2003-07-10 11:48:40 ip=x.x.x.x pri=6] <190>Jul 10 2003 11:48:40: %PIX-6-302013: Built inbound TCP connection 6855503 for outside:184.108.40.206/42620 (220.127.116.11/42620) to dmz1:192.168.1.2/443 (x.x.x.x/443)
WTsyslog[2003-07-10 11:48:42 ip=x.x.x.x pri=6] <190>Jul 10 2003 11:48:42: %PIX-6-302013: Built inbound TCP connection 6855504
for outside:18.104.22.168/42621 (22.214.171.124/42621) to dmz1:192.168.1.2/443 (x.x.x.x/443)
Yet the IEV lists 126.96.36.199 as the Destination Address. This kind of traffic goes on for awhile, with the source incrementing the ports upward.
The log also shows 12 other hosts connected with our webserver in this fashion over a 1 hour period. IEV has the Source and Destination addresses reversed on these as well. (if one can believe the PIX log)
Am I missing something?
Is there something that needs to be addressed in IEV or the IDS?