Snort mailing list archives
Re: Attacks From Firewall IP
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 28 Feb 2002 22:37:58 -0600
Is your firewall configured to act as a proxy? Maybe a scan from an inside user or someone from the outside (gasp) reverse-proxing into your network. Check the proxy settings on your firewall and make sure no outside machine can proxy through it. Regards, Frank On Thu, 2002-02-28 at 14:11, Wade Dixon wrote:
I've only had an IDS running on my little network since the beginning of the year, and in that time I've seen 3 or 4 attacks which snort sees as coming from the outside firewall IP. The latest was today, here are the logs: [**] [1:990:2] WEB-IIS _vti_inf access [**] [Classification: access to a potentually vulnerable web application] [Priority: 2] 02/28-13:05:15.715340 (FW external):10158 -> (webserver internal):80 TCP TTL:125 TOS:0x0 ID:47750 IpLen:20 DgmLen:315 DF ***AP*** Seq: 0xBD942027 Ack: 0xC3F50B15 Win: 0x4470 TcpLen: 20 [...] Snort is working properly, it usually shows the attacker's public address in alerts. Does anyone have an explanation for this, other than my (SonicWall) firewall being the actual attack source? There's nothing in the firewall logs to indicate anything odd. Thanks in advance. Wade
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Attacks From Firewall IP Wade Dixon (Feb 28)
- Re: Attacks From Firewall IP Frank Knobbe (Feb 28)