06-18-2007 01:57 PM - edited 03-10-2019 03:39 AM
Hi,
We are getting some events on IPS for Nmap UDP Port Sweep (Signature - 4003). Attacker shows an external address, what can I do for this alert, what actions can I take?
06-18-2007 02:26 PM
Generally, even if it's legitimate it's not something to worry about. More than likely though, it's just return traffic. Please provide the source and destination ports.
06-19-2007 09:40 AM
Destination Port # changes from udp/356,357,358,361,367,359,500 however the attacker port remains the same (500 or 137)
06-19-2007 09:50 AM
udp 500 and 137 are both well known udp ports (isakmp and netbios-ns), so there's a good chance this is udp reply traffic to a know port. Are the source IP addresses internal? Are the destination IP addresses internal?
06-19-2007 10:09 AM
yes source IP is internal and destination is external.
06-19-2007 10:16 AM
I've confused myself. to clarify:
SOURCE IP:PORT =
DESTINATION IP:PORT =
Is that right?
06-19-2007 10:34 AM
No,
Source Port :
Destination Port:
06-19-2007 10:42 AM
I guess I'm missing something. attacker = source ip unless "swap attacker victim" is selected, which it isn't by default for this sig.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide