Cheers for the advise Michael, 

Turns out the problem was dns lookups against a server that was responding with 
a modified src ip and src port. 
Have spoken to the admin and it was a hack that was put in place during an 
outage and forgotten. I beleive it is getting fixed. 
I guess an queries from a stateful firewall would not allow this sort of 
responce. 



----- "Michael Rash" <m...@cipherdyne.org> wrote: 
> On May 15, 2009, Rodney McKee wrote: 
> 
> > Hello, 
> 
> Hi Rodney - 
> 
> > I'm seeing lots of activity from a single host sending udp requests that 
> > are being picked up by psad. 
> > Any advise on what this might be or what additional info I should be 
> > looking at, not much info in tcpdump. The following sample is from or argus 
> > collector. 
> > Note the regular attempts to port 41454, and obviously the names have been 
> > changed to protect the innocent :-). 
> 
> Is there any application listening on port 41454 on the targeted system? 
> I don't know of a specific exploit associated with that port, but there 
> certainly could be one. I would dump the application layer to look 
> for clues, and it would probably be useful also to send the packets 
> through Snort with a complete signature set deployed. 
> 
> There is an interesting spike in the number of sources that are scanning 
> for this port according to DShield: 
> 
> http://www.dshield.org/port.html?port=41454 
> 
> 
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com 
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to