Snort mailing list archives
not allowed traffic in the Intranet [RMC-VUCLPP3]
From: "Romulo M. Cholewa" <rmc () rmc eti br>
Date: Tue, 4 Feb 2003 12:08:32 -0300
Hi all, I recently received some alerts that disturbed me. I would like to confirm it as a bug (it can't be a misconfiguration). It could be a snort bug (almost discarded) or simply a ZoneAlarm bug. My "firewall" provides Internet access through Windows 2K NAT (W2K SP3 All HFs) and has two interfaces. An external one (192.168.7.254) and a local one (10.255.255.254). The external interface is connected to an ADSL modem (Allied Data Tech CJ810) also with NAT enabled. It has some portmappings to 192.168.7.254 (firewall, wich portmaps 21, 25, 80, 443, and some other ports, but NOT 137 / 139 / 445). The firewall is running ZoneAlarm Pro latest version. Internet zone set to high, trusted zone set to med (IPsec is used in the intranet). My webserver is 10.255.255.253 (remember: the ADSL modem portmaps port 80 to 192.168.7.254, and the firewall portmaps it to 10.255.255.253). NO OTHER ports are portmapped. snort, running on the webserver, detected a netbios name query from an IP address on... the internet! (???) How could that be ? I can think of only one thing. This is a reply traffic (my server did a name query, and simply received the answer). Since ZoneAlarm is configured to high for the internet traffic, it would not allow netbios traffic, but it did. I would like to hear some comments. I'm almost sure this is a ZA Pro bug, and I want to submit it. Thanks in advance, Romulo M. Cholewa Home : http://www.rmc.eti.br Forum: http://zeus.rmc.eti.br/forum PGP Keys Available @ website. 'Art is the only way to run away without leaving home.' - Twyla Tharp ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- not allowed traffic in the Intranet [RMC-VUCLPP3] Romulo M. Cholewa (Feb 04)