cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
724
Views
4
Helpful
2
Replies

source port 0, destination 0.0.0.0

WILLIAM STEGMAN
Level 4
Level 4

I have an ASA, and an IPS, and am monitoring the segments that terminate on the inside and outside interfaces of the ASA with the IPS. I keep seeing udp and tcp sweeps coming from the outside interface of the firewall and a couple hosts on the inside. The outside IP address sweeps are probably hosts on the inside since PAT is configured, althought the timestamps don't match any alerts for the inside hosts doing the sweeps. Has anyone seen this behavior in their environment? I don't think it's a worm, but I can't find any references indicating examples of legitimate traffic matching this sort of pattern.

thank you,

Bill

2 Replies 2

Farrukh Haroon
VIP Alumni
VIP Alumni

This is one of the chatty signatures in the Cisco IPS. It is usually recommended to disable it for internal IPs. Or you can tune it to increase the TCP SYN threshold.

For more details have a look at this post:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&topicID=.ee6e1fc&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cbe4c4e/5#selected_message

Regards

Farrukh

thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: