https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735854#M86421 <HTML><HEAD></HEAD><BODY><P>No,</P><P></P><P>Source Port :<INTERNAL ip="">: 137,500</INTERNAL></P><P>Destination Port: <EXTERNAL ip="">: 356,357,500</EXTERNAL></P></BODY></HTML> Tue, 19 Jun 2007 17:34:35 GMT sagittarius 2007-06-19T17:34:35Z https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735848#M86409 <P>Hi,</P><P>We are getting some events on IPS for Nmap UDP Port Sweep (Signature - 4003). Attacker shows an external address, what can I do for this alert, what actions can I take? </P><P></P> Sun, 10 Mar 2019 10:39:45 GMT https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735848#M86409 sagittarius 2019-03-10T10:39:45Z https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735849#M86410 <HTML><HEAD></HEAD><BODY><P>Generally, even if it's legitimate it's not something to worry about. More than likely though, it's just return traffic. Please provide the source and destination ports.</P></BODY></HTML> Mon, 18 Jun 2007 21:26:15 GMT https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735849#M86410 mhellman 2007-06-18T21:26:15Z https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735850#M86412 <HTML><HEAD></HEAD><BODY><P>Destination Port # changes from udp/356,357,358,361,367,359,500 however the attacker port remains the same (500 or 137)</P><P></P><P></P></BODY></HTML> Tue, 19 Jun 2007 16:40:58 GMT https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735850#M86412 sagittarius 2007-06-19T16:40:58Z https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735851#M86414 <HTML><HEAD></HEAD><BODY><P>udp 500 and 137 are both well known udp ports (isakmp and netbios-ns), so there's a good chance this is udp reply traffic to a know port. Are the source IP addresses internal? Are the destination IP addresses internal?</P></BODY></HTML> Tue, 19 Jun 2007 16:50:35 GMT https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735851#M86414 mhellman 2007-06-19T16:50:35Z https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735852#M86417 <HTML><HEAD></HEAD><BODY><P>yes source IP is internal and destination is external.</P></BODY></HTML> Tue, 19 Jun 2007 17:09:03 GMT https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735852#M86417 sagittarius 2007-06-19T17:09:03Z https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735853#M86420 <HTML><HEAD></HEAD><BODY><P>I've confused myself. to clarify:</P><P></P><P>SOURCE IP:PORT = <INTERNAL ip="">:356,357,500,etc</INTERNAL></P><P>DESTINATION IP:PORT = <EXTERNAL ip="">:137,500</EXTERNAL></P><P></P><P>Is that right?</P></BODY></HTML> Tue, 19 Jun 2007 17:16:17 GMT https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735853#M86420 mhellman 2007-06-19T17:16:17Z https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735854#M86421 <HTML><HEAD></HEAD><BODY><P>No,</P><P></P><P>Source Port :<INTERNAL ip="">: 137,500</INTERNAL></P><P>Destination Port: <EXTERNAL ip="">: 356,357,500</EXTERNAL></P></BODY></HTML> Tue, 19 Jun 2007 17:34:35 GMT https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735854#M86421 sagittarius 2007-06-19T17:34:35Z https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735855#M86422 <HTML><HEAD></HEAD><BODY><P>I guess I'm missing something. attacker = source ip unless "swap attacker victim" is selected, which it isn't by default for this sig.</P></BODY></HTML> Tue, 19 Jun 2007 17:42:47 GMT https://community.cisco.com/t5/network-security/nmap-udp-port-sweep/m-p/735855#M86422 mhellman 2007-06-19T17:42:47Z