Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my Heavy Forwarder initiating TCP scans and sweeps

DavidHume0507
Engager
‎01-03-2014 12:13 PM

I'm getting alerts from my firewall that my Heavy Forwarder Unix box (only program that's installed) is initiating TCP scans and sweeps. I have Universal Forwarders installed that should be pushing data to the Heavy Forwarder, but I don't see any reason why the HF is doing any scanning. My understanding is that a forwarder will initiate a connection with a destination, so it should be the UFs contacting the HF, not the other way around. The HF local/input doesn't specify anything outside of defaults and a local log file. Does anyone know why these TCP scans are taking place? Is there any other config or log file I can look into to obtain additional information? Thanks

0 Karma
Reply

Adrian
Path Finder
‎01-03-2014 12:17 PM

I would suggest doing a packet capture on the Heavy Forwarder to understand what in fact is occurring. This appears to be anomalous behavior and could indicate you have a compromised system.

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...