Hello, 

I'm seeing lots of activity from a single host sending udp requests that are 
being picked up by psad. 
Any advise on what this might be or what additional info I should be looking 
at, not much info in tcpdump. The following sample is from or argus collector. 
Note the regular attempts to port 41454, and obviously the names have been 
changed to protect the innocent :-). 

06/05/2009-11:07:20.580294 e udp aa.aa.aa.aaa.36582 -> bbb.bbb.bbb.bbb.41454 18 
2405 INT 
06/05/2009-11:08:07.589522 M udp aa.aa.aa.aaa.37365 -> bbb.bbb.bbb.bbb.55657 1 
120 INT 
06/05/2009-11:08:07.590108 M udp aa.aa.aa.aaa.37366 -> bbb.bbb.bbb.bbb.52693 1 
116 INT 
06/05/2009-11:08:07.594268 M udp aa.aa.aa.aaa.37367 -> bbb.bbb.bbb.bbb.24921 1 
131 INT 
06/05/2009-11:08:07.595323 M udp aa.aa.aa.aaa.37368 -> bbb.bbb.bbb.bbb.43831 1 
127 INT 
06/05/2009-11:08:17.595980 e udp aa.aa.aa.aaa.37558 -> bbb.bbb.bbb.bbb.3952 1 
131 INT 
06/05/2009-11:08:17.596394 e udp aa.aa.aa.aaa.37559 -> bbb.bbb.bbb.bbb.13607 1 
127 INT 
06/05/2009-11:08:27.594601 e udp aa.aa.aa.aaa.36582 -> bbb.bbb.bbb.bbb.41454 2 
236 INT 
06/05/2009-11:27:09.643194 M udp aa.aa.aa.aaa.63948 -> bbb.bbb.bbb.bbb.19566 1 
158 INT 
06/05/2009-11:27:19.643621 e udp aa.aa.aa.aaa.64178 -> bbb.bbb.bbb.bbb.47478 1 
158 INT 
06/05/2009-11:27:29.648252 e udp aa.aa.aa.aaa.64493 -> bbb.bbb.bbb.bbb.18898 1 
158 INT 
06/05/2009-11:27:29.648808 e udp aa.aa.aa.aaa.64494 -> bbb.bbb.bbb.bbb.15665 1 
131 INT 
06/05/2009-11:27:29.649793 e udp aa.aa.aa.aaa.64495 -> bbb.bbb.bbb.bbb.34556 1 
127 INT 
06/05/2009-11:27:39.651859 e udp aa.aa.aa.aaa.64871 -> bbb.bbb.bbb.bbb.59509 1 
127 INT 
06/05/2009-11:27:39.652179 e udp aa.aa.aa.aaa.64872 -> bbb.bbb.bbb.bbb.25807 1 
131 INT 
06/05/2009-11:27:49.651497 M udp aa.aa.aa.aaa.65265 -> bbb.bbb.bbb.bbb.38349 1 
127 INT 
06/05/2009-11:27:49.652212 M udp aa.aa.aa.aaa.65266 -> bbb.bbb.bbb.bbb.7754 1 
131 INT 
06/05/2009-11:27:49.656424 M udp aa.aa.aa.aaa.65267 -> bbb.bbb.bbb.bbb.24065 1 
131 INT 
06/05/2009-11:27:49.657388 M udp aa.aa.aa.aaa.65268 -> bbb.bbb.bbb.bbb.51826 1 
127 INT 
06/05/2009-11:27:08.641187 e udp aa.aa.aa.aaa.63926 -> bbb.bbb.bbb.bbb.41454 13 
1764 INT 
06/05/2009-11:28:00.662806 e udp aa.aa.aa.aaa.1209 -> bbb.bbb.bbb.bbb.1455 1 
131 INT 
06/05/2009-11:28:00.663724 e udp aa.aa.aa.aaa.1210 -> bbb.bbb.bbb.bbb.6485 1 
127 INT 
06/05/2009-11:28:11.663795 e udp aa.aa.aa.aaa.1514 -> bbb.bbb.bbb.bbb.56158 1 
131 INT 
06/05/2009-11:28:11.664260 e udp aa.aa.aa.aaa.1515 -> bbb.bbb.bbb.bbb.47741 1 
127 INT 
06/05/2009-11:28:13.674741 M udp aa.aa.aa.aaa.63926 -> bbb.bbb.bbb.bbb.41454 2 
258 INT 
06/05/2009-11:49:49.291312 e udp aa.aa.aa.aaa.35649 -> bbb.bbb.bbb.bbb.41020 1 
158 INT 
06/05/2009-11:50:00.290821 e udp aa.aa.aa.aaa.35892 -> bbb.bbb.bbb.bbb.34949 1 
158 INT 
06/05/2009-11:50:11.295891 e udp aa.aa.aa.aaa.36202 -> bbb.bbb.bbb.bbb.11467 1 
158 INT 
06/05/2009-11:50:11.296729 e udp aa.aa.aa.aaa.36203 -> bbb.bbb.bbb.bbb.55825 1 
131 INT 
06/05/2009-11:50:11.296987 e udp aa.aa.aa.aaa.36204 -> bbb.bbb.bbb.bbb.46766 1 
127 INT 
06/05/2009-11:50:23.298549 M udp aa.aa.aa.aaa.36605 -> bbb.bbb.bbb.bbb.46693 1 
127 INT 
06/05/2009-11:50:23.299268 M udp aa.aa.aa.aaa.36606 -> bbb.bbb.bbb.bbb.11623 1 
131 INT 
06/05/2009-11:49:48.287973 e udp aa.aa.aa.aaa.35619 -> bbb.bbb.bbb.bbb.41454 13 
1764 INT 
06/05/2009-11:50:35.301177 e udp aa.aa.aa.aaa.36996 -> bbb.bbb.bbb.bbb.32041 1 
131 INT 
06/05/2009-11:50:35.302092 e udp aa.aa.aa.aaa.36997 -> bbb.bbb.bbb.bbb.15308 1 
127 INT 
06/05/2009-11:50:35.306255 e udp aa.aa.aa.aaa.36998 -> bbb.bbb.bbb.bbb.22965 1 
131 INT 













Thanks in advance 
Rodney 

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables 
unlimited royalty-free distribution of the report engine 
for externally facing server and web deployment. 
http://p.sf.net/sfu/businessobjects
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to