https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076661#M79267 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I had the exact same issue going on at my location, and there were two causes.</P><P></P><P>One was that we had a bluecoat proxy, which uses multiple ports to refresh its website cache, and for new requests.</P><P></P><P>The other cause was a machine that was infested with spyware.</P><P></P><P>If it is a users machine, I would suggest downloading the Sysinternals Suite from Microsoft, and doing a PSLOGGEDON \\<IP> to see who is using that machine.</IP></P><P></P><P>Jason</P></BODY></HTML> Wed, 06 Aug 2008 16:25:30 GMT jason.hurst 2008-08-06T16:25:30Z https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076659#M79265 <P>Hi,</P><P>Monitoring the IDM alerts show that one of the internal clients attacking outside IP addresses. Couls someone shed light on the above dynamics.</P><P>Thanks.</P><P>Said</P><P></P><P>evIdsAlert: eventId=1216735955474843112 vendor=Cisco severity=informational </P><P> originator: </P><P> hostId: ips </P><P> appName: sensorApp </P><P> appInstanceId: 406 </P><P> time: Jul 29, 2008 12:50:48 UTC offset=0 timeZone=UTC </P><P> signature: description=TCP SYN Host Sweep id=3030 version=S2 </P><P> subsigId: 0 </P><P> marsCategory: Probe/SpecificPorts </P><P> interfaceGroup: vs0 </P><P> vlan: 0 </P><P> participants: </P><P> attacker: </P><P> addr: 192.168.1.207 locality=OUT </P><P> port: 4580 </P><P> target: </P><P> addr: 66.150.11.50 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 68.180.219.138 locality=OUT </P><P> os: idSource=learned type=bsd relevance=relevant </P><P> target: </P><P> addr: 74.201.95.4 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 72.247.169.161 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 207.230.151.254 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 216.252.124.207 locality=OUT </P><P> os: idSource=learned type=bsd relevance=relevant </P><P> target: </P><P> addr: 67.228.69.100 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 208.43.2.146 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 66.196.126.101 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 69.22.167.239 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 216.73.87.152 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 12.130.60.4 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 66.94.234.72 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 216.145.50.247 locality=OUT </P><P> os: idSource=unknown type=unknown relevance=relevant </P><P> target: </P><P> addr: 216.252.125.76 locality=OUT </P><P> os: idSource=learned type=bsd relevance=relevant </P><P> target: </P><P> addr: 209.131.37.77 locality=OUT </P><P> os: idSource=learned type=bsd relevance=relevant </P><P> alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ; </P><P> riskRatingValue: 31 targetValueRating=medium attackRelevanceRating=relevant </P><P> threatRatingValue: 31 </P><P> interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1 </P><P> protocol: tcp </P> Sun, 10 Mar 2019 11:13:32 GMT https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076659#M79265 saidfrh 2019-03-10T11:13:32Z https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076660#M79266 <HTML><HEAD></HEAD><BODY><P>A host sweep does not equal an attack. We don't have the destination port here so this could simply be outbound web traffic from a proxy server or outbound mail traffic from your mail server. Perform a packet display on the sensor to see what connections the above IP is making (look at the destination port) and also look for other events with this same source.</P></BODY></HTML> Wed, 30 Jul 2008 16:03:54 GMT https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076660#M79266 attmidsteam 2008-07-30T16:03:54Z https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076661#M79267 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I had the exact same issue going on at my location, and there were two causes.</P><P></P><P>One was that we had a bluecoat proxy, which uses multiple ports to refresh its website cache, and for new requests.</P><P></P><P>The other cause was a machine that was infested with spyware.</P><P></P><P>If it is a users machine, I would suggest downloading the Sysinternals Suite from Microsoft, and doing a PSLOGGEDON \\<IP> to see who is using that machine.</IP></P><P></P><P>Jason</P></BODY></HTML> Wed, 06 Aug 2008 16:25:30 GMT https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076661#M79267 jason.hurst 2008-08-06T16:25:30Z https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076662#M79268 <HTML><HEAD></HEAD><BODY><P>Jason,</P><P>Thanks.</P><P>Said</P></BODY></HTML> Wed, 06 Aug 2008 17:05:16 GMT https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076662#M79268 saidfrh 2008-08-06T17:05:16Z https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076663#M79269 <HTML><HEAD></HEAD><BODY><P>Jason,</P><P>I downloaded and unzipped Sysinternals Suite. Wwhere do I type in PSLOGGEDON \\<IP> ?</IP></P></BODY></HTML> Wed, 06 Aug 2008 17:29:09 GMT https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076663#M79269 saidfrh 2008-08-06T17:29:09Z https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076664#M79270 <HTML><HEAD></HEAD><BODY><P>I ran a spyware program on machines that "attcked" outside IPs There were mo spyware found. </P></BODY></HTML> Wed, 06 Aug 2008 19:38:49 GMT https://community.cisco.com/t5/network-security/idm-alert-monitoring/m-p/1076664#M79270 saidfrh 2008-08-06T19:38:49Z