07-29-2008 02:29 PM - edited 03-10-2019 04:13 AM
Hi,
Monitoring the IDM alerts show that one of the internal clients attacking outside IP addresses. Couls someone shed light on the above dynamics.
Thanks.
Said
evIdsAlert: eventId=1216735955474843112 vendor=Cisco severity=informational
originator:
hostId: ips
appName: sensorApp
appInstanceId: 406
time: Jul 29, 2008 12:50:48 UTC offset=0 timeZone=UTC
signature: description=TCP SYN Host Sweep id=3030 version=S2
subsigId: 0
marsCategory: Probe/SpecificPorts
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 192.168.1.207 locality=OUT
port: 4580
target:
addr: 66.150.11.50 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 68.180.219.138 locality=OUT
os: idSource=learned type=bsd relevance=relevant
target:
addr: 74.201.95.4 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 72.247.169.161 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 207.230.151.254 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 216.252.124.207 locality=OUT
os: idSource=learned type=bsd relevance=relevant
target:
addr: 67.228.69.100 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 208.43.2.146 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 66.196.126.101 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 69.22.167.239 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 216.73.87.152 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 12.130.60.4 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 66.94.234.72 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 216.145.50.247 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
target:
addr: 216.252.125.76 locality=OUT
os: idSource=learned type=bsd relevance=relevant
target:
addr: 209.131.37.77 locality=OUT
os: idSource=learned type=bsd relevance=relevant
alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ;
riskRatingValue: 31 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 31
interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1
protocol: tcp
07-30-2008 09:03 AM
A host sweep does not equal an attack. We don't have the destination port here so this could simply be outbound web traffic from a proxy server or outbound mail traffic from your mail server. Perform a packet display on the sensor to see what connections the above IP is making (look at the destination port) and also look for other events with this same source.
08-06-2008 09:25 AM
Hi,
I had the exact same issue going on at my location, and there were two causes.
One was that we had a bluecoat proxy, which uses multiple ports to refresh its website cache, and for new requests.
The other cause was a machine that was infested with spyware.
If it is a users machine, I would suggest downloading the Sysinternals Suite from Microsoft, and doing a PSLOGGEDON \\
Jason
08-06-2008 10:05 AM
Jason,
Thanks.
Said
08-06-2008 10:29 AM
Jason,
I downloaded and unzipped Sysinternals Suite. Wwhere do I type in PSLOGGEDON \\
08-06-2008 12:38 PM
I ran a spyware program on machines that "attcked" outside IPs There were mo spyware found.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: