Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 2 subscribers
  • Views 5016 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port 10101 --> Symantec

SalishSwede
I noticed a great deal of entries in my IPS log.

They all look like this: 
2011:12:28-15:50:29 wahine ulogd[5994]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="4:c:ce[:D]c:50:82" dstmac="0:c:29:67:ac:84" srcip="10.1.2.3"[my mac client]  dstip="198.153.192.3" proto="17" length="237" tos="0x00" prec="0x00" ttl="64" srcport="55439" dstport="10101" 

Note the destination port: 10101 
This is the same port that Astaro used for it's "cloud based" log management.
Destination ip:  198.153.192.3 [details below]


The destination IP address is for the following: 
   NetRange: 198.153.190.0 - 198.153.196.255
   CIDR:198.153.190.0/23, 198.153.196.0/24, 198.153.192.0/22
   NetType: Direct Assignment
   OrgName:Symantec Corporation
   Address:20330 Stevens Creek Blvd
   City:Cupertino
   StateProv:CA
   OrgAbuseName:Symantec IP Administrator
   OrgAbusePhone:+1-650-527-8000
   OrgAbuseEmail[:D]l-it-ip-admin@symantec.com

I have no Symantec products installed on my machine.

Question:  Is there any official relationship between Astaro and Symantec that might explain this traffic?

Can any one assist in identifying this traffic?

Thanks,

Dougga


This thread was automatically locked due to age.
Parents
  • 0
    Interesting!  I have an IPS Exception for traffic coming from our Win2003 Server, so I see nothing in our IPS log.  However, look what started appearing in the firewall log at the rate of about one a second - here's the first line: 
    2011:12:29-00:00:10 post ulogd[4952]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x316a" app="362" srcmac="0:13:21:x:y:z" dstmac="0:50:8b:a:b:c" srcip="10.xx.yy.7" dstip="10.xx.yy.34" proto="17" length="618" tos="0x00" prec="0x00" ttl="128" srcport="30553" dstport="10101" 


    I just deactivated "snare" on my WinServer (this was the tool used to relay logging to the Astaro for log management), and the entries stopped appearing.

    Thanks, Dougga, for the heads-up!

    Cheers - Bob
Reply
  • 0
    Interesting!  I have an IPS Exception for traffic coming from our Win2003 Server, so I see nothing in our IPS log.  However, look what started appearing in the firewall log at the rate of about one a second - here's the first line: 
    2011:12:29-00:00:10 post ulogd[4952]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x316a" app="362" srcmac="0:13:21:x:y:z" dstmac="0:50:8b:a:b:c" srcip="10.xx.yy.7" dstip="10.xx.yy.34" proto="17" length="618" tos="0x00" prec="0x00" ttl="128" srcport="30553" dstport="10101" 


    I just deactivated "snare" on my WinServer (this was the tool used to relay logging to the Astaro for log management), and the entries stopped appearing.

    Thanks, Dougga, for the heads-up!

    Cheers - Bob
Children