Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

sig 1300 victim port 46823

Hello.. my ids is picking up traffic to a mail server, attacker port 50084 / victim port 46823. Because the ports are both higher order it doesn't look like legitimate traffic. How would I investigate further to define this traffic?

I found this online: Stack-based buffer overflow in Sielco Sistemi Winlog Pro 2.07.00 and earlier, when Run TCP/IP server is enabled, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted 0x02 opcode to TCP port 46823.

But that system is nowhere on the network.

Thanks.

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

sig 1300 victim port 46823

Signature 1300 alerts on TCP Segment Manipulation, are you saying you are seeing this signature fire?  The specifics on the traffic that it will alert on are shown in the link below:

http://tools.cisco.com/security/center/viewAlert.x?alertId=1160

To categorize the traffic to port 46823 further you would need to get a capture of the traffic (such as through a traffic capture program like Wireshark, or through port mirroring).  A traffic capture would allow you to see if it is malicious or not.  Even if you don't have a "Sielco Sistemi Winlog Pro" system on your network you still might be getting this malicious traffic in your network somehow.

New Member

Re: sig 1300 victim port 46823

If the checksum is incorrect (all zeros) then it sounds like at least part of the packet is malformed.  However, it is probably safe to ignore this packet unless it is having some sort of negative affect on your network.

5 REPLIES
New Member

sig 1300 victim port 46823

Signature 1300 alerts on TCP Segment Manipulation, are you saying you are seeing this signature fire?  The specifics on the traffic that it will alert on are shown in the link below:

http://tools.cisco.com/security/center/viewAlert.x?alertId=1160

To categorize the traffic to port 46823 further you would need to get a capture of the traffic (such as through a traffic capture program like Wireshark, or through port mirroring).  A traffic capture would allow you to see if it is malicious or not.  Even if you don't have a "Sielco Sistemi Winlog Pro" system on your network you still might be getting this malicious traffic in your network somehow.

New Member

sig 1300 victim port 46823

Yes I'm seeing the signature fire. I turned on log pair packet on the IDSM. I've never used it before so am not sure what kind of capture it will produce. Thanks for posting. I'll update when it fires again.

New Member

Re: sig 1300 victim port 46823

Didn't have to wait long. Log pair packet produced an excellent capture that opens in Wireshark. I got an ICMP message in which the source and destination IPs are the same but down in the ICMP details the destination IP is different and the checksum is incorrect (all zeros). Not sure what it means but both IPs are on the same VLAN - so I assume its benign.

Any thoughts?

Thanks.

New Member

Re: sig 1300 victim port 46823

If the checksum is incorrect (all zeros) then it sounds like at least part of the packet is malformed.  However, it is probably safe to ignore this packet unless it is having some sort of negative affect on your network.

New Member

Re: sig 1300 victim port 46823

Adam ...  Thanks for your help.

417
Views
0
Helpful
5
Replies
CreatePlease to create content