June 15th, 2004, 06:58 PM
Switch is opening and closing ports
There is a switch on the network that is opening 3 ports and then closing them, then reopening them. I am going to disable them and see if anyone screams......Anyone seen this before?
June 15th, 2004, 07:00 PM
Well, what three port's is it?
June 15th, 2004, 07:11 PM
This is an L3 switch....It is managed and remotely looked at occasionally.....I know audit and logs are a great idea, but lets say that it has not been viewed as a "need" by elements of the company
June 15th, 2004, 07:22 PM
LOL. Ports don't open and close because poeple sprinkle magic pixy dust on them. If this is a high end switch, it may have an accounting feature which allows admins to schedule specific times when ports will be available. If I had to guess the ports opening and closing (since you didn't specify which ones) I'd say 80,23 and 22. The other possibility is that someone is fux0ring around in the console and is inadvertantly causing the behavior.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
June 15th, 2004, 07:38 PM
I believe it is door number 2
Horse I think you are right. I think someone is messing around, so I am going to setup a snort box to watch telnet traffic going to the switch.......I know telnet.....I know believe me, but hey there is a huge elephant here and I am trying to eat it a bite at a time........
June 15th, 2004, 07:52 PM
I wouldn't set up a snort box for this. There is no reason once so ever for that. If you want to monitor traffic just use a packet filter. Make sure to look at the ports that are opening and closing though first. if port 20 and 21 keep opening then it propbably is a safe bet that someone on the network is just transfering files. If 53 keeps opening then its just the DNS...you get the point. Just use some common sense.
Don\'t be a bitch! Use Slackware.
June 15th, 2004, 09:35 PM
I'd run with Hatebreed but I would just monitor the IP address. That way you capture all the data to and from the switch regardless of it's port number. Then you can filter the resulting file until you find what is going on.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
June 15th, 2004, 10:06 PM