Host is just the name of the IDS location. Yes, it would have to generating inside my network and since I don't own that network it is being pushed out to the internet. Once it heads out to the internet the IDS sees it. Sadly, my network is fairly large and flat so I don't have many places I can catch it with an ACL. It is always the same address and it happens in bursts but not at the same times.
-----Original Message----- From: Daniel Cotts [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 12:05 PM To: [EMAIL PROTECTED] Subject: RE: Anyone seen this? [7:45664] I can ping and trace to that address. 16 54 ms 48 ms 48 ms l0.washdc3-cmb1.bbnplanet.net [4.0.0.3] What is the meaning of the "Host:" in your IDS output? It would seem that the true source of the packet would be within your own network. - Else how would it get there? Again, it would seem to be local to the IDS or from a location that had a default route to the IDS location. Can you set up access-lists on various router ports that would log traffic with those addresses? I'm assuming that it is the same ip address each time. > -----Original Message----- > From: Maccubbin, Duncan [mailto:[EMAIL PROTECTED]] > Sent: Monday, June 03, 2002 10:12 AM > To: [EMAIL PROTECTED] > Subject: RE: Anyone seen this? [7:45664] > > > No, the Whois shows it belonging to BBN planet. > > > -----Original Message----- > From: Daniel Cotts [mailto:[EMAIL PROTECTED]] > Sent: Monday, June 03, 2002 11:04 AM > To: 'Maccubbin, Duncan'; [EMAIL PROTECTED] > Subject: RE: Anyone seen this? [7:45664] > > First question: Is 4.0.0.3 a valid address on your network? > > > -----Original Message----- > > From: Maccubbin, Duncan [mailto:[EMAIL PROTECTED]] > > Sent: Monday, June 03, 2002 9:01 AM > > To: [EMAIL PROTECTED] > > Subject: Anyone seen this? [7:45664] > > > > > > My IDS from time to time pulls this up. I don't know how to > > track it down > > easily. Any ideas? > > > > IDS ALERT at: 2002-06-03 09:30:06 > > SIGNATURE: BAD TRAFFIC same SRC/DST > > HOST: TIP3-90Sub > > SID: 1 > > CID: 945479 > > SRC IP: 4.0.0.3 > > DST IP: 4.0.0.3 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45678&t=45664 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
