Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CS-MARS 5.3.x and Top Destination Port "0"?

Hi -

We have a CS-MARS just installed and in the Dashboard under "Activity - All Events and NewFlow - Top Destination Ports", it lists the top port as "0". What is this and why is it doing it?

It is almost double what TCP/80 is. When I run a report, there is no source address, and if I look at the events it is from our PIX about tearing down connections and such?

3 REPLIES
Bronze

Re: CS-MARS 5.3.x and Top Destination Port "0"?

Destination Port Ranking : Returns destination ports. Ranked by either number of sessions with that destination port or by bytes transmitted in sessions that contain events that meet the query criteria.

Refer the following url for more info on "top destination port "0"":

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.3/user/guide/global_controller/q_report.html#wp1048282

Activity: Network Usage - Top Destination Ports: This report ranks destination ports by number of network sessions. This report requires that the syslog level of routers or firewalls be set to high to be able to capture session events. This report provides a general usage pattern of the network.

Community Member

Re: CS-MARS 5.3.x and Top Destination Port "0"?

connections to tcp port 0 are usually used for Operating Systems fingerprinting, and could mean scans are undergoing. Probably there's malware in the computers on your network (as most networks).

You should block everything in your Firewalls, and only allow the tcp ports needed, you can confirm the tcp port 0 connections were blocked checking the path graph of those incidents. Move the mouse over the lines in the path graph and check if the path turns red until reaching the internet or if it stops at your firewalls.

Check this:

http://www.grc.com/port_0.htm

http://www.networkpenetration.com/port0.html

Community Member

Re: CS-MARS 5.3.x and Top Destination Port "0"?

Thanks for the replies.

I worked with TAC and it is b/c the PIX is sending SYSLOG level "debug" to the CS-MARS and everything it cannot classify is in "0"... This includes ICMP, xlation build/teardown, etc; unfortunately, CS-MARS needs those for sessionization according to the documentation, so they have to come in.

151
Views
5
Helpful
3
Replies
CreatePlease to create content