Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nmap UDP Port Sweep

Hi,

We are getting some events on IPS for Nmap UDP Port Sweep (Signature - 4003). Attacker shows an external address, what can I do for this alert, what actions can I take?

7 REPLIES
Gold

Re: Nmap UDP Port Sweep

Generally, even if it's legitimate it's not something to worry about. More than likely though, it's just return traffic. Please provide the source and destination ports.

New Member

Re: Nmap UDP Port Sweep

Destination Port # changes from udp/356,357,358,361,367,359,500 however the attacker port remains the same (500 or 137)

Gold

Re: Nmap UDP Port Sweep

udp 500 and 137 are both well known udp ports (isakmp and netbios-ns), so there's a good chance this is udp reply traffic to a know port. Are the source IP addresses internal? Are the destination IP addresses internal?

New Member

Re: Nmap UDP Port Sweep

yes source IP is internal and destination is external.

Gold

Re: Nmap UDP Port Sweep

I've confused myself. to clarify:

SOURCE IP:PORT = :356,357,500,etc

DESTINATION IP:PORT = :137,500

Is that right?

New Member

Re: Nmap UDP Port Sweep

No,

Source Port :: 137,500

Destination Port: : 356,357,500

Gold

Re: Nmap UDP Port Sweep

I guess I'm missing something. attacker = source ip unless "swap attacker victim" is selected, which it isn't by default for this sig.

283
Views
5
Helpful
7
Replies