Snort mailing list archives
Attacks From Firewall IP
From: Wade Dixon <wmd2001 () yahoo com>
Date: Thu, 28 Feb 2002 12:11:57 -0800 (PST)
I've only had an IDS running on my little network since the beginning of the year, and in that time I've seen 3 or 4 attacks which snort sees as coming from the outside firewall IP. The latest was today, here are the logs: [**] [1:990:2] WEB-IIS _vti_inf access [**] [Classification: access to a potentually vulnerable web application] [Priority: 2] 02/28-13:05:15.715340 (FW external):10158 -> (webserver internal):80 TCP TTL:125 TOS:0x0 ID:47750 IpLen:20 DgmLen:315 DF ***AP*** Seq: 0xBD942027 Ack: 0xC3F50B15 Win: 0x4470 TcpLen: 20 [**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**] [Classification: access to a potentually vulnerable web application] [Priority: 2] 02/28-13:05:15.950989 (FW external):10158 -> (webserver internal):80 TCP TTL:125 TOS:0x0 ID:47753 IpLen:20 DgmLen:440 DF ***AP*** Seq: 0xBD94213A Ack: 0xC3F512D6 Win: 0x4470 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2144] [**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**] [Classification: access to a potentually vulnerable web application] [Priority: 2] 02/28-13:05:16.044283 (FW external):13138 -> (webserver internal):80 TCP TTL:125 TOS:0x0 ID:47761 IpLen:20 DgmLen:495 DF ***AP*** Seq: 0xC89D3AFF Ack: 0xC3F78F02 Win: 0x4470 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2144] [**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**] [Classification: access to a potentually vulnerable web application] [Priority: 2] 02/28-13:05:16.138448 (FW external):11906 -> (webserver internal):80 TCP TTL:125 TOS:0x0 ID:47769 IpLen:20 DgmLen:458 DF ***AP*** Seq: 0x464FDF86 Ack: 0xC3F87634 Win: 0x4470 TcpLen: 20 [**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**] [Classification: access to a potentually vulnerable web application] [Priority: 2] 02/28-13:05:25.053931 (FW external):11906 -> (webserver internal):80 TCP TTL:125 TOS:0x0 ID:47777 IpLen:20 DgmLen:474 DF ***AP*** Seq: 0x464FE256 Ack: 0xC3F8778B Win: 0x4319 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2144] [**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**] [Classification: access to a potentually vulnerable web application] [Priority: 2] 02/28-13:05:25.145223 (FW external):9276 -> (webserver internal):80 TCP TTL:125 TOS:0x0 ID:47785 IpLen:20 DgmLen:458 DF ***AP*** Seq: 0x8A046ED3 Ack: 0xC41B4951 Win: 0x4470 TcpLen: 20 Snort is working properly, it usually shows the attacker's public address in alerts. Does anyone have an explanation for this, other than my (SonicWall) firewall being the actual attack source? There's nothing in the firewall logs to indicate anything odd. Thanks in advance. Wade __________________________________________________ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Attacks From Firewall IP Wade Dixon (Feb 28)
- Re: Attacks From Firewall IP Frank Knobbe (Feb 28)