06-21-2008 12:49 PM - edited 03-09-2019 08:56 PM
Hi -
We have a CS-MARS just installed and in the Dashboard under "Activity - All Events and NewFlow - Top Destination Ports", it lists the top port as "0". What is this and why is it doing it?
It is almost double what TCP/80 is. When I run a report, there is no source address, and if I look at the events it is from our PIX about tearing down connections and such?
06-26-2008 08:49 AM
Destination Port Ranking : Returns destination ports. Ranked by either number of sessions with that destination port or by bytes transmitted in sessions that contain events that meet the query criteria.
Refer the following url for more info on "top destination port "0"":
Activity: Network Usage - Top Destination Ports: This report ranks destination ports by number of network sessions. This report requires that the syslog level of routers or firewalls be set to high to be able to capture session events. This report provides a general usage pattern of the network.
06-27-2008 10:22 AM
connections to tcp port 0 are usually used for Operating Systems fingerprinting, and could mean scans are undergoing. Probably there's malware in the computers on your network (as most networks).
You should block everything in your Firewalls, and only allow the tcp ports needed, you can confirm the tcp port 0 connections were blocked checking the path graph of those incidents. Move the mouse over the lines in the path graph and check if the path turns red until reaching the internet or if it stops at your firewalls.
Check this:
06-27-2008 03:42 PM
Thanks for the replies.
I worked with TAC and it is b/c the PIX is sending SYSLOG level "debug" to the CS-MARS and everything it cannot classify is in "0"... This includes ICMP, xlation build/teardown, etc; unfortunately, CS-MARS needs those for sessionization according to the documentation, so they have to come in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide