08-14-2012 09:18 AM - edited 03-10-2019 05:45 AM
Hello.. my ids is picking up traffic to a mail server, attacker port 50084 / victim port 46823. Because the ports are both higher order it doesn't look like legitimate traffic. How would I investigate further to define this traffic?
I found this online: Stack-based buffer overflow in Sielco Sistemi Winlog Pro 2.07.00 and earlier, when Run TCP/IP server is enabled, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted 0x02 opcode to TCP port 46823.
But that system is nowhere on the network.
Thanks.
Solved! Go to Solution.
08-14-2012 01:18 PM
Signature 1300 alerts on TCP Segment Manipulation, are you saying you are seeing this signature fire? The specifics on the traffic that it will alert on are shown in the link below:
http://tools.cisco.com/security/center/viewAlert.x?alertId=1160
To categorize the traffic to port 46823 further you would need to get a capture of the traffic (such as through a traffic capture program like Wireshark, or through port mirroring). A traffic capture would allow you to see if it is malicious or not. Even if you don't have a "Sielco Sistemi Winlog Pro" system on your network you still might be getting this malicious traffic in your network somehow.
08-14-2012 02:22 PM
If the checksum is incorrect (all zeros) then it sounds like at least part of the packet is malformed. However, it is probably safe to ignore this packet unless it is having some sort of negative affect on your network.
08-14-2012 01:18 PM
Signature 1300 alerts on TCP Segment Manipulation, are you saying you are seeing this signature fire? The specifics on the traffic that it will alert on are shown in the link below:
http://tools.cisco.com/security/center/viewAlert.x?alertId=1160
To categorize the traffic to port 46823 further you would need to get a capture of the traffic (such as through a traffic capture program like Wireshark, or through port mirroring). A traffic capture would allow you to see if it is malicious or not. Even if you don't have a "Sielco Sistemi Winlog Pro" system on your network you still might be getting this malicious traffic in your network somehow.
08-14-2012 01:39 PM
Yes I'm seeing the signature fire. I turned on log pair packet on the IDSM. I've never used it before so am not sure what kind of capture it will produce. Thanks for posting. I'll update when it fires again.
08-14-2012 01:59 PM
Didn't have to wait long. Log pair packet produced an excellent capture that opens in Wireshark. I got an ICMP message in which the source and destination IPs are the same but down in the ICMP details the destination IP is different and the checksum is incorrect (all zeros). Not sure what it means but both IPs are on the same VLAN - so I assume its benign.
Any thoughts?
Thanks.
08-14-2012 02:22 PM
If the checksum is incorrect (all zeros) then it sounds like at least part of the packet is malformed. However, it is probably safe to ignore this packet unless it is having some sort of negative affect on your network.
08-14-2012 02:47 PM
Adam ... Thanks for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: