There is a switch on the network that is opening 3 ports and then closing them, then reopening them. I am going to disable them and see if anyone screams......Anyone seen this before?
Printable View
There is a switch on the network that is opening 3 ports and then closing them, then reopening them. I am going to disable them and see if anyone screams......Anyone seen this before?
Well, what three port's is it?
This is an L3 switch....It is managed and remotely looked at occasionally.....I know audit and logs are a great idea, but lets say that it has not been viewed as a "need" by elements of the company
LOL. Ports don't open and close because poeple sprinkle magic pixy dust on them. If this is a high end switch, it may have an accounting feature which allows admins to schedule specific times when ports will be available. If I had to guess the ports opening and closing (since you didn't specify which ones) I'd say 80,23 and 22. The other possibility is that someone is fux0ring around in the console and is inadvertantly causing the behavior.
Horse I think you are right. I think someone is messing around, so I am going to setup a snort box to watch telnet traffic going to the switch.......I know telnet.....I know believe me, but hey there is a huge elephant here and I am trying to eat it a bite at a time........
I wouldn't set up a snort box for this. There is no reason once so ever for that. If you want to monitor traffic just use a packet filter. Make sure to look at the ports that are opening and closing though first. if port 20 and 21 keep opening then it propbably is a safe bet that someone on the network is just transfering files. If 53 keeps opening then its just the DNS...you get the point. Just use some common sense.
Uno:
I'd run with Hatebreed but I would just monitor the IP address. That way you capture all the data to and from the switch regardless of it's port number. Then you can filter the resulting file until you find what is going on.
You guys rock, thanks