[Snort-users] Attacks From Firewall IP

Frank Knobbe fknobbe at ...652...
Thu Feb 28 20:40:02 EST 2002


Is your firewall configured to act as a proxy? Maybe a scan from an
inside user or someone from the outside (gasp) reverse-proxing into your
network. Check the proxy settings on your firewall and make sure no
outside machine can proxy through it.

Regards,
Frank

On Thu, 2002-02-28 at 14:11, Wade Dixon wrote:
> I've only had an IDS running on my little network
> since the beginning of the year, and in that time I've
> seen 3 or 4 attacks which snort sees as coming from
> the outside firewall IP.  The latest was today, here
> are the logs:
> 
> [**] [1:990:2] WEB-IIS _vti_inf access [**]
> [Classification: access to a potentually vulnerable
> web application] [Priority: 2]
> 02/28-13:05:15.715340 (FW external):10158 ->
> (webserver internal):80
> TCP TTL:125 TOS:0x0 ID:47750 IpLen:20 DgmLen:315 DF
> ***AP*** Seq: 0xBD942027  Ack: 0xC3F50B15  Win: 0x4470
>  TcpLen: 20
> 
> [...]
> 
> Snort is working properly, it usually shows the
> attacker's public address in alerts.  Does anyone have
> an explanation for this, other than my (SonicWall)
> firewall being the actual attack source?  There's
> nothing in the firewall logs to indicate anything odd.
>  Thanks in advance.
> 
> Wade

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 350 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020228/f79cdf53/attachment.sig>


More information about the Snort-users mailing list