This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

botnet attack

0

Hi all,today in our symmantec siem product we observed botnet log showing destination port as 7000 but strange thing is,it is showing protocol as icmp.as par my knowledge icmp has nothing do with tcp ports?symantec siem products gets this logs from our firewall and in firewall we have only allow icmp eco request and reply service.i am sure it is icmp traffic only but why port is showing,source of traffic is linux machine.

asked 19 Jun '13, 06:22

kishan%20pandey's gravatar image

kishan pandey
221282936
accept rate: 28%

2 Answers:

0

i am sure it is icmp traffic only but why port is showing

some possibilities:

  • a bug in your SIEM product
  • your interpretation of the "port" statement in the SIEM logs is wrong
  • there is really a TCP/UDP port involved (IP tunnel via ICMP) and the firewall detected that (rather unlikely)

Regards
Kurt

answered 19 Jun '13, 06:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 22 Jun '13, 02:31

0

Maybe it was an ICMP Destination Unreachable packet and the port number was taken from the original IP packet, which is returned inside the ICMP Destination Unreachable packet.

answered 19 Jun '13, 08:54

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%