Re: Attacks From Firewall IP

[Frank Knobbe <fknobbe () knobbeits com>]

Is your firewall configured to act as a proxy? Maybe a scan from an
inside user or someone from the outside (gasp) reverse-proxing into your
network. Check the proxy settings on your firewall and make sure no
outside machine can proxy through it.

Regards,
Frank

On Thu, 2002-02-28 at 14:11, Wade Dixon wrote:
> I've only had an IDS running on my little network
> since the beginning of the year, and in that time I've
> seen 3 or 4 attacks which snort sees as coming from
> the outside firewall IP.  The latest was today, here
> are the logs:
>
> [**] [1:990:2] WEB-IIS _vti_inf access [**]
> [Classification: access to a potentually vulnerable
> web application] [Priority: 2]
> 02/28-13:05:15.715340 (FW external):10158 ->
> (webserver internal):80
> TCP TTL:125 TOS:0x0 ID:47750 IpLen:20 DgmLen:315 DF
> ***AP*** Seq: 0xBD942027  Ack: 0xC3F50B15  Win: 0x4470
>  TcpLen: 20
>
> [...]
>
> Snort is working properly, it usually shows the
> attacker's public address in alerts.  Does anyone have
> an explanation for this, other than my (SonicWall)
> firewall being the actual attack source?  There's
> nothing in the firewall logs to indicate anything odd.
>  Thanks in advance.
>
> Wade

Attachment: signature.asc
Description: This is a digitally signed message part