strange firewall rules, messing with snort

["Matthew Asham" <matthew () leftcoast com>]

Hi All,

This morning whilst reading our firewall's security outputs I discovered 29
new ipfw rules
that were *not* installed by any humans here:

 00774     2737174067806208                    0 deny ip from a.b.c.201 to
0.0.0.0:29.6.0.0 ipopt ssrr,!lsrr,!rr,ts tcpflg
!fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg

 00774    15068690894553088 14598987537281187840 deny ip from any to
255.255.255.255:30.6.0.0 ipopt ssrr,!ssrr,lsrr,rr,!rr,!ts tcpflg
fin,!fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg

 00774     5399280697212928                    0 deny ip from a.b.c.202 to
0.0.0.0:30.6.0.0 ipopt ssrr,!ssrr,lsrr,rr,!rr,!ts tcpflg
fin,!fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg

 00774    58627978627645440 14671045131319115776 deny ip from any to
255.255.255.255:31.6.0.0 ipopt ssrr,!lsrr,!rr,ts tcpflg
!fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg

(IP's semi-changed to protect the innocent)

The stranger part, these rules are no longer present on the firewall!

I'm running FreeBSD 3.4-RELEASE and snort 1.7.  I looked briefly through the
snort source to see if it add these rules automagically but it doesn't seem
so (nor does it make sense).

Aside from the entries appearing magically themselves, the high byte counts
bother
me more.  Checking our mrtg graphs don't show an increase in utilization our
T1s, and
none of our systems show any evidence of strange activity.

Has anyone seen this before?  Ideas?  Clues? :)

Thanks

Matthew


--
Matthew Asham, VE7UDP
Left Coast Systems Corp, SuperWebhost.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users