Cheers for the advise Michael, Turns out the problem was dns lookups against a server that was responding with a modified src ip and src port. Have spoken to the admin and it was a hack that was put in place during an outage and forgotten. I beleive it is getting fixed. I guess an queries from a stateful firewall would not allow this sort of responce.
----- "Michael Rash" <m...@cipherdyne.org> wrote: > On May 15, 2009, Rodney McKee wrote: > > > Hello, > > Hi Rodney - > > > I'm seeing lots of activity from a single host sending udp requests that > > are being picked up by psad. > > Any advise on what this might be or what additional info I should be > > looking at, not much info in tcpdump. The following sample is from or argus > > collector. > > Note the regular attempts to port 41454, and obviously the names have been > > changed to protect the innocent :-). > > Is there any application listening on port 41454 on the targeted system? > I don't know of a specific exploit associated with that port, but there > certainly could be one. I would dump the application layer to look > for clues, and it would probably be useful also to send the packets > through Snort with a complete signature set deployed. > > There is an interesting spike in the number of sources that are scanning > for this port according to DShield: > > http://www.dshield.org/port.html?port=41454 > >
------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
_______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
