[Snort-users] strange firewall rules, messing with snort

Matthew Asham matthew at ...2333...
Tue Jun 19 13:12:10 EDT 2001


Hi All,

This morning whilst reading our firewall's security outputs I discovered 29
new ipfw rules
that were *not* installed by any humans here:

 00774     2737174067806208                    0 deny ip from a.b.c.201 to
0.0.0.0:29.6.0.0 ipopt ssrr,!lsrr,!rr,ts tcpflg
!fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg

 00774    15068690894553088 14598987537281187840 deny ip from any to
255.255.255.255:30.6.0.0 ipopt ssrr,!ssrr,lsrr,rr,!rr,!ts tcpflg
fin,!fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg

 00774     5399280697212928                    0 deny ip from a.b.c.202 to
0.0.0.0:30.6.0.0 ipopt ssrr,!ssrr,lsrr,rr,!rr,!ts tcpflg
fin,!fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg

 00774    58627978627645440 14671045131319115776 deny ip from any to
255.255.255.255:31.6.0.0 ipopt ssrr,!lsrr,!rr,ts tcpflg
!fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg

(IP's semi-changed to protect the innocent)

The stranger part, these rules are no longer present on the firewall!

I'm running FreeBSD 3.4-RELEASE and snort 1.7.  I looked briefly through the
snort source to see if it add these rules automagically but it doesn't seem
so (nor does it make sense).

Aside from the entries appearing magically themselves, the high byte counts
bother
me more.  Checking our mrtg graphs don't show an increase in utilization our
T1s, and
none of our systems show any evidence of strange activity.

Has anyone seen this before?  Ideas?  Clues? :)

Thanks

Matthew


--
Matthew Asham, VE7UDP
Left Coast Systems Corp, SuperWebhost.com





More information about the Snort-users mailing list