[Snort-users] Attacks From Firewall IP

Wade Dixon wmd2001 at ...131...
Thu Feb 28 12:12:31 EST 2002


I've only had an IDS running on my little network
since the beginning of the year, and in that time I've
seen 3 or 4 attacks which snort sees as coming from
the outside firewall IP.  The latest was today, here
are the logs:

[**] [1:990:2] WEB-IIS _vti_inf access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:15.715340 (FW external):10158 ->
(webserver internal):80
TCP TTL:125 TOS:0x0 ID:47750 IpLen:20 DgmLen:315 DF
***AP*** Seq: 0xBD942027  Ack: 0xC3F50B15  Win: 0x4470
 TcpLen: 20

[**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:15.950989 (FW external):10158 ->
(webserver internal):80
TCP TTL:125 TOS:0x0 ID:47753 IpLen:20 DgmLen:440 DF
***AP*** Seq: 0xBD94213A  Ack: 0xC3F512D6  Win: 0x4470
 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2144]

[**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:16.044283 (FW external):13138 ->
(webserver internal):80
TCP TTL:125 TOS:0x0 ID:47761 IpLen:20 DgmLen:495 DF
***AP*** Seq: 0xC89D3AFF  Ack: 0xC3F78F02  Win: 0x4470
 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2144]

[**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:16.138448 (FW external):11906 ->
(webserver internal):80
TCP TTL:125 TOS:0x0 ID:47769 IpLen:20 DgmLen:458 DF
***AP*** Seq: 0x464FDF86  Ack: 0xC3F87634  Win: 0x4470
 TcpLen: 20

[**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:25.053931 (FW external):11906 ->
(webserver internal):80
TCP TTL:125 TOS:0x0 ID:47777 IpLen:20 DgmLen:474 DF
***AP*** Seq: 0x464FE256  Ack: 0xC3F8778B  Win: 0x4319
 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2144]

[**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentually vulnerable
web application] [Priority: 2]
02/28-13:05:25.145223 (FW external):9276 -> (webserver
internal):80
TCP TTL:125 TOS:0x0 ID:47785 IpLen:20 DgmLen:458 DF
***AP*** Seq: 0x8A046ED3  Ack: 0xC41B4951  Win: 0x4470
 TcpLen: 20

Snort is working properly, it usually shows the
attacker's public address in alerts.  Does anyone have
an explanation for this, other than my (SonicWall)
firewall being the actual attack source?  There's
nothing in the firewall logs to indicate anything odd.
 Thanks in advance.

Wade

__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com




More information about the Snort-users mailing list