Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
868
Views
0
Helpful
5
Replies

sig 1300 victim port 46823

Go to solution
vpersaud001
Level 3
Level 3

‎08-14-2012 09:18 AM - edited ‎03-10-2019 05:45 AM

Hello.. my ids is picking up traffic to a mail server, attacker port 50084 / victim port 46823. Because the ports are both higher order it doesn't look like legitimate traffic. How would I investigate further to define this traffic?

I found this online: Stack-based buffer overflow in Sielco Sistemi Winlog Pro 2.07.00 and earlier, when Run TCP/IP server is enabled, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted 0x02 opcode to TCP port 46823.

But that system is nowhere on the network.

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
_____Adam
Level 1
Level 1

‎08-14-2012 01:18 PM

Signature 1300 alerts on TCP Segment Manipulation, are you saying you are seeing this signature fire?  The specifics on the traffic that it will alert on are shown in the link below:

http://tools.cisco.com/security/center/viewAlert.x?alertId=1160

To categorize the traffic to port 46823 further you would need to get a capture of the traffic (such as through a traffic capture program like Wireshark, or through port mirroring).  A traffic capture would allow you to see if it is malicious or not.  Even if you don't have a "Sielco Sistemi Winlog Pro" system on your network you still might be getting this malicious traffic in your network somehow.

View solution in original post

0 Helpful

Go to solution
_____Adam
Level 1
Level 1
In response to vpersaud001

‎08-14-2012 02:22 PM

If the checksum is incorrect (all zeros) then it sounds like at least part of the packet is malformed.  However, it is probably safe to ignore this packet unless it is having some sort of negative affect on your network.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
_____Adam
Level 1
Level 1

‎08-14-2012 01:18 PM

Signature 1300 alerts on TCP Segment Manipulation, are you saying you are seeing this signature fire?  The specifics on the traffic that it will alert on are shown in the link below:

http://tools.cisco.com/security/center/viewAlert.x?alertId=1160

To categorize the traffic to port 46823 further you would need to get a capture of the traffic (such as through a traffic capture program like Wireshark, or through port mirroring).  A traffic capture would allow you to see if it is malicious or not.  Even if you don't have a "Sielco Sistemi Winlog Pro" system on your network you still might be getting this malicious traffic in your network somehow.

0 Helpful

Go to solution
vpersaud001
Level 3
Level 3
In response to _____Adam

‎08-14-2012 01:39 PM

Yes I'm seeing the signature fire. I turned on log pair packet on the IDSM. I've never used it before so am not sure what kind of capture it will produce. Thanks for posting. I'll update when it fires again.

0 Helpful

Go to solution
vpersaud001
Level 3
Level 3
In response to _____Adam

‎08-14-2012 01:59 PM

Didn't have to wait long. Log pair packet produced an excellent capture that opens in Wireshark. I got an ICMP message in which the source and destination IPs are the same but down in the ICMP details the destination IP is different and the checksum is incorrect (all zeros). Not sure what it means but both IPs are on the same VLAN - so I assume its benign.

Any thoughts?

Thanks.

0 Helpful

Go to solution
_____Adam
Level 1
Level 1
In response to vpersaud001

‎08-14-2012 02:22 PM

If the checksum is incorrect (all zeros) then it sounds like at least part of the packet is malformed.  However, it is probably safe to ignore this packet unless it is having some sort of negative affect on your network.

0 Helpful

Go to solution
vpersaud001
Level 3
Level 3
In response to _____Adam

‎08-14-2012 02:47 PM

Adam ...  Thanks for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card