Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
265
Views
0
Helpful
2
Replies

CTR tries to connect to numerous ports while investigating and event

p.mckay
Level 1
Level 1

‎11-16-2004 09:14 PM - edited ‎03-09-2019 09:28 AM

I am trying to get a handle on the CTR application. I have it configured to what I consider a fairly operational state. I am blocking the CTR server from accessing most of my networks with an ACL and slowly letting it out to more and more of the networks. I have been monitoring what it is trying to connect to when it sense an event.

I am curious as to the following. Using this as an example the CTR has detected an IDS signature trigger 3320 which is “SMB: ADMIN$ hidden share access attempt”.

The CTR then tries to go out and determine the OS using the Default Policy. What I have noticed and what concerns me is the number of ports it is attempting to connect to. This concerns me as I am preparing to open the ACL that is blocking the server allowing the CTR access to the majority of my network and production networks.

I some feel good here before doing this.

CTR ip address 192.168.131.12 trying to investigate the IDS sig 3320 to 192.168.175.30

I see the following in my ACL logs

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(2301)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(32771)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(106)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(935)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(1480)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(6000)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(121)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(1480)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(252)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(113)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(13)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(7005)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(6050)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(1520)

Labels:
0 Helpful
2 Replies 2

cskipper
Level 1
Level 1

‎11-17-2004 01:16 PM

To answer you question in short.

CTR uses nmap to determine the OS of the victim.

http://www.insecure.org/nmap/

nmap scans thousands of ports to determine the OS.

As far as CTR deployment scenerios:

If CTR is in your DMZ or even on the edge of your network you will have to open up your firewall to allow CTR to inverstigate your hosts. From a security stand point this is NOT recommended.

Alternative Option: Place CTR on the same segment as your protected hosts. This allows CTR to have full access to these hosts. You can configure your firwall to allow Post Office events or RDEP events through to CTR.

Hope this helps

0 Helpful

p.mckay
Level 1
Level 1
In response to cskipper

‎11-17-2004 01:57 PM

Thanks. I did not realize the CTR used a nmap this helps answers a few of the questions I had. Thanks again

0 Helpful
Customers Also Viewed These Support Documents