Snort mailing list archives

Attacks From Firewall IP

From: Wade Dixon <wmd2001 () yahoo com>
Date: Thu, 28 Feb 2002 12:11:57 -0800 (PST)
I've only had an IDS running on my little network
since the beginning of the year, and in that time I've
seen 3 or 4 attacks which snort sees as coming from
the outside firewall IP.  The latest was today, here
are the logs:

[**] [1:990:2] WEB-IIS _vti_inf access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:15.715340 (FW external):10158 ->
(webserver internal):80
TCP TTL:125 TOS:0x0 ID:47750 IpLen:20 DgmLen:315 DF
***AP*** Seq: 0xBD942027  Ack: 0xC3F50B15  Win: 0x4470
 TcpLen: 20

[**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:15.950989 (FW external):10158 ->
(webserver internal):80
TCP TTL:125 TOS:0x0 ID:47753 IpLen:20 DgmLen:440 DF
***AP*** Seq: 0xBD94213A  Ack: 0xC3F512D6  Win: 0x4470
 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2144]

[**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:16.044283 (FW external):13138 ->
(webserver internal):80
TCP TTL:125 TOS:0x0 ID:47761 IpLen:20 DgmLen:495 DF
***AP*** Seq: 0xC89D3AFF  Ack: 0xC3F78F02  Win: 0x4470
 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2144]

[**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:16.138448 (FW external):11906 ->
(webserver internal):80
TCP TTL:125 TOS:0x0 ID:47769 IpLen:20 DgmLen:458 DF
***AP*** Seq: 0x464FDF86  Ack: 0xC3F87634  Win: 0x4470
 TcpLen: 20

[**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:25.053931 (FW external):11906 ->
(webserver internal):80
TCP TTL:125 TOS:0x0 ID:47777 IpLen:20 DgmLen:474 DF
***AP*** Seq: 0x464FE256  Ack: 0xC3F8778B  Win: 0x4319
 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2144]

[**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:25.145223 (FW external):9276 -> (webserver
internal):80
TCP TTL:125 TOS:0x0 ID:47785 IpLen:20 DgmLen:458 DF
***AP*** Seq: 0x8A046ED3  Ack: 0xC41B4951  Win: 0x4470
 TcpLen: 20

Snort is working properly, it usually shows the
attacker's public address in alerts.  Does anyone have
an explanation for this, other than my (SonicWall)
firewall being the actual attack source?  There's
nothing in the firewall logs to indicate anything odd.
 Thanks in advance.

Wade

__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Attacks From Firewall IP Wade Dixon (Feb 28)
- Re: Attacks From Firewall IP Frank Knobbe (Feb 28)