06-18-2007 01:57 PM - edited 03-10-2019 03:39 AM
Hi,
We are getting some events on IPS for Nmap UDP Port Sweep (Signature - 4003). Attacker shows an external address, what can I do for this alert, what actions can I take?
06-18-2007 02:26 PM
Generally, even if it's legitimate it's not something to worry about. More than likely though, it's just return traffic. Please provide the source and destination ports.
06-19-2007 09:40 AM
Destination Port # changes from udp/356,357,358,361,367,359,500 however the attacker port remains the same (500 or 137)
06-19-2007 09:50 AM
udp 500 and 137 are both well known udp ports (isakmp and netbios-ns), so there's a good chance this is udp reply traffic to a know port. Are the source IP addresses internal? Are the destination IP addresses internal?
06-19-2007 10:09 AM
yes source IP is internal and destination is external.
06-19-2007 10:16 AM
I've confused myself. to clarify:
SOURCE IP:PORT =
DESTINATION IP:PORT =
Is that right?
06-19-2007 10:34 AM
No,
Source Port :
Destination Port:
06-19-2007 10:42 AM
I guess I'm missing something. attacker = source ip unless "swap attacker victim" is selected, which it isn't by default for this sig.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: