Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

3002 Signature related DNS replication or something else?

We see this signature alot... 3002 - TCP Syn Port Sweep

Source and destination are internal and port 53-DNS, 88-Kerberos, 135-Endpoint Mapper, 139-Netbios, 389-LDAP, and 445-SMB.

Thoughts?

1 REPLY
Cisco Employee

Re: 3002 Signature related DNS replication or something else?

Sig 3002 triggers on 5 syn's packets from (Host A) to (Host B ports 1-1024). Knowing the trigger condition, you can now look at the "attacker" machine... since it's internal, what is it, what does it do?

Network management tools mapping hosts and services will cause this signature to fire since that behavior is really no different than say an nmap scan. It's also conceivable that given the combination of services running on the attacker, normal operation of that box will cause this to trigger.

The next step is to identify what the "attacker" box is, and what it's doing.

141
Views
0
Helpful
1
Replies
CreatePlease to create content