Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
435
Views
0
Helpful
1
Replies

3002 Signature related DNS replication or something else?

enelson
Level 1
Level 1

‎07-14-2006 04:59 PM - edited ‎03-10-2019 03:06 AM

We see this signature alot... 3002 - TCP Syn Port Sweep

Source and destination are internal and port 53-DNS, 88-Kerberos, 135-Endpoint Mapper, 139-Netbios, 389-LDAP, and 445-SMB.

Thoughts?

Labels:
0 Helpful
1 Reply 1

wsulym
Cisco Employee
Cisco Employee

‎07-18-2006 04:19 AM

Sig 3002 triggers on 5 syn's packets from (Host A) to (Host B ports 1-1024). Knowing the trigger condition, you can now look at the "attacker" machine... since it's internal, what is it, what does it do?

Network management tools mapping hosts and services will cause this signature to fire since that behavior is really no different than say an nmap scan. It's also conceivable that given the combination of services running on the attacker, normal operation of that box will cause this to trigger.

The next step is to identify what the "attacker" box is, and what it's doing.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card