Skynet Skynet source port 52599

agilani

Very Senior Member
I noticed something interesting. Almost 90+ percent of all inbound traffic blocked is using source port 52599. Not sure why this would be unless they are mostly using the same toolset? And does this mean that by just blocking incoming source port 52599 I can block a whole lot of malicious traffic? I'm sure it may block some legitimate traffic outbound that may be sourced from the same port, but you should be able to apply it to inbound traffic only. Now i wish i had realtime flow data to analyze this.

1608308596025.png
 

agilani

Very Senior Member
Thanks. Where are you located? maybe the attack vectors are different for different geographies? its temping to install graylog again and feed all flow data and see if there is a pattern.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top