Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 3416 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port 5294

Aresh
Hi,

Does anyone knows what application use the port 5294? in the firewall log I see some drop packets that is oraginated from one of our trusted networks.

I also see this packet from other IPs that I dont know anything about them so for those IP I have no problem with but I want to know what application from the trusted IP try to access this port.

[HTML]2015:10:02-09:05:21 securitysrv1-1 ulogd[25875]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="54:e0:32:06:76:9a" dstmac="00:1a:8c:f0:0f:a1" srcip="82.XX.XX.54" dstip="62.XX.XX.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="50446" dstport="5294" tcpflags="SYN" [/HTML]


This thread was automatically locked due to age.
Parents
  • 0
    Glad you found more info, I hope you find out what is trying to probe that port and discover it's legitimacy [:)]
  • 0 in reply to Emile Belcourt
    Hi E.Belcourt

    I did check the log one more time and problem is that almost impossible to findout witch machine on the trusted network try to access the port 5294.
    the reson is that port 5294 get blocked at UTM and socurce port each time is different.

    as you can see in this 2 log entry:

    [HTML]015:10:05-09:06:47 securitysrv1-1 ulogd[13301]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="54:e0:32:06:76:9a" dstmac="00:1a:8c:f0:0f:a1" srcip="82.XX.XX.54" dstip="62.XX.XX.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="63182" dstport="5294" tcpflags="SYN" 
    2015:10:05-09:06:47 securitysrv1-1 ulogd[13301]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="54:e0:32:06:76:9a" dstmac="00:1a:8c:f0:0f:a1" srcip="82.XX.XX.54" dstip="62.XX.X.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="63183" dstport="5294" tcpflags="SYN" [/HTML]
  • 0 in reply to Aresh
    Hi E.Belcourt

    I did check the log one more time and problem is that almost impossible to findout witch machine on the trusted network try to access the port 5294.
    the reson is that port 5294 get blocked at UTM and socurce port each time is different.

    as you can see in this 2 log entry:

    [HTML]015:10:05-09:06:47 securitysrv1-1 ulogd[13301]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="54:e0:32:06:76:9a" dstmac="00:1a:8c:f0:0f:a1" srcip="82.XX.XX.54" dstip="62.XX.XX.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="63182" dstport="5294" tcpflags="SYN" 
    2015:10:05-09:06:47 securitysrv1-1 ulogd[13301]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="54:e0:32:06:76:9a" dstmac="00:1a:8c:f0:0f:a1" srcip="82.XX.XX.54" dstip="62.XX.X.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="63183" dstport="5294" tcpflags="SYN" [/HTML]


    Cant you work it out from the ip address, if not, use the mac address decoder

    (one of the is a Juniper Networks device, the other is the UTM)
Reply
  • 0 in reply to Aresh
    Hi E.Belcourt

    I did check the log one more time and problem is that almost impossible to findout witch machine on the trusted network try to access the port 5294.
    the reson is that port 5294 get blocked at UTM and socurce port each time is different.

    as you can see in this 2 log entry:

    [HTML]015:10:05-09:06:47 securitysrv1-1 ulogd[13301]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="54:e0:32:06:76:9a" dstmac="00:1a:8c:f0:0f:a1" srcip="82.XX.XX.54" dstip="62.XX.XX.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="63182" dstport="5294" tcpflags="SYN" 
    2015:10:05-09:06:47 securitysrv1-1 ulogd[13301]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="54:e0:32:06:76:9a" dstmac="00:1a:8c:f0:0f:a1" srcip="82.XX.XX.54" dstip="62.XX.X.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="120" srcport="63183" dstport="5294" tcpflags="SYN" [/HTML]


    Cant you work it out from the ip address, if not, use the mac address decoder

    (one of the is a Juniper Networks device, the other is the UTM)
Children
No Data