Netflow Question

Quick netflow question. In what cases would you get a flow where the source and destination IP's are different, but the source and destination ports are the same? I have a theory, but was hoping someone could throw up a few alternatives as well.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

networker050184

What is the port?

the_Grinch

3389 is the port...not positive the traffic is definitely RDP.

SteveO86

Could it be a custom application?

the_Grinch

99.9% sure it is not

ande0255

Out of curiousity, what leads you to believe it's not RDP traffic? Is the source IP completely unknown or originating from the LAN? I've had a few customers that got periodically probed for RDP vulnerabilities, then some other MSP poked a bunch of holes in there ASA for port 3389, and there DC started firing off alerts every 2-3 seconds from what seemed to be brute force attacks.

the_Grinch

Can't go into a ton of detail, but there are somethings that make me believe it might not be RDP. It very well could be, but I have some doubts.

wastedtime

There is a ton of stuff it could be. I've seen where people have done a SSH tunnel like that and even home brewed protocols for peer to peer communications. There isn't many protocols that I can think of that use the same source and destination ports.

Edit:
I would love to know what this is even if you can't go into details.

the_Grinch

Haha, we're working on it and hopefully at some point a picture will be painted. Thanks guys! Confirmed my theories.