cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
294
Views
5
Helpful
3
Replies

CSA server polling server on port 0

wilson_1234_2
Level 3
Level 3

We have a server that keeps kicking alerts to our intrusion detection system.

The alert is showing that the CSA server is polling the server on UDP port 0 and the IDS system says this is an invalid port.

The originating port on the CSA server is random.

Is there any reason for CSA to be polling a server on port 0?

This is the only error we are getting like this.

Does anyone have an idea as to what this may be?

3 Replies 3

jwalker
Level 3
Level 3

If you are seeing the alerts on the IPS with a port of 0, you are actually seeing the sensor summarize events. If you change the firing signature to "Fire All", you will see the true port.

Cheers.

Jay

Thanks for the reply.

Since I know nothing about the IDS, how would this be changed and is it something that is easy to do?

You have to edit the signature configuration for that particular signature. Then look for the summarization parameters.... Change it to Fire All.