[Snort-users] Attacks From Firewall IP
fknobbe at ...652...
Thu Feb 28 20:40:02 EST 2002
Is your firewall configured to act as a proxy? Maybe a scan from an
inside user or someone from the outside (gasp) reverse-proxing into your
network. Check the proxy settings on your firewall and make sure no
outside machine can proxy through it.
On Thu, 2002-02-28 at 14:11, Wade Dixon wrote:
> I've only had an IDS running on my little network
> since the beginning of the year, and in that time I've
> seen 3 or 4 attacks which snort sees as coming from
> the outside firewall IP. The latest was today, here
> are the logs:
> [**] [1:990:2] WEB-IIS _vti_inf access [**]
> [Classification: access to a potentually vulnerable
> web application] [Priority: 2]
> 02/28-13:05:15.715340 (FW external):10158 ->
> (webserver internal):80
> TCP TTL:125 TOS:0x0 ID:47750 IpLen:20 DgmLen:315 DF
> ***AP*** Seq: 0xBD942027 Ack: 0xC3F50B15 Win: 0x4470
> TcpLen: 20
> Snort is working properly, it usually shows the
> attacker's public address in alerts. Does anyone have
> an explanation for this, other than my (SonicWall)
> firewall being the actual attack source? There's
> nothing in the firewall logs to indicate anything odd.
> Thanks in advance.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 350 bytes
Desc: This is a digitally signed message part
More information about the Snort-users