Results 1 to 8 of 8

Thread: Switch is opening and closing ports

  1. #1
    Member
    Join Date
    Jan 2004
    Posts
    33

    Switch is opening and closing ports

    There is a switch on the network that is opening 3 ports and then closing them, then reopening them. I am going to disable them and see if anyone screams......Anyone seen this before?

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Well, what three port's is it?
    Space For Rent.. =]

  3. #3
    Member
    Join Date
    Jan 2004
    Posts
    33

    Switch

    This is an L3 switch....It is managed and remotely looked at occasionally.....I know audit and logs are a great idea, but lets say that it has not been viewed as a "need" by elements of the company

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    LOL. Ports don't open and close because poeple sprinkle magic pixy dust on them. If this is a high end switch, it may have an accounting feature which allows admins to schedule specific times when ports will be available. If I had to guess the ports opening and closing (since you didn't specify which ones) I'd say 80,23 and 22. The other possibility is that someone is fux0ring around in the console and is inadvertantly causing the behavior.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Member
    Join Date
    Jan 2004
    Posts
    33

    I believe it is door number 2

    Horse I think you are right. I think someone is messing around, so I am going to setup a snort box to watch telnet traffic going to the switch.......I know telnet.....I know believe me, but hey there is a huge elephant here and I am trying to eat it a bite at a time........

  6. #6
    Senior Member
    Join Date
    Nov 2002
    Posts
    339
    I wouldn't set up a snort box for this. There is no reason once so ever for that. If you want to monitor traffic just use a packet filter. Make sure to look at the ports that are opening and closing though first. if port 20 and 21 keep opening then it propbably is a safe bet that someone on the network is just transfering files. If 53 keeps opening then its just the DNS...you get the point. Just use some common sense.
    Don\'t be a bitch! Use Slackware.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Uno:

    I'd run with Hatebreed but I would just monitor the IP address. That way you capture all the data to and from the switch regardless of it's port number. Then you can filter the resulting file until you find what is going on.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Member
    Join Date
    Jan 2004
    Posts
    33

    Thanks for the input

    You guys rock, thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •