Snort mailing list archives
strange firewall rules, messing with snort
From: "Matthew Asham" <matthew () leftcoast com>
Date: Tue, 19 Jun 2001 10:12:10 -0700
Hi All, This morning whilst reading our firewall's security outputs I discovered 29 new ipfw rules that were *not* installed by any humans here: 00774 2737174067806208 0 deny ip from a.b.c.201 to 0.0.0.0:29.6.0.0 ipopt ssrr,!lsrr,!rr,ts tcpflg !fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg 00774 15068690894553088 14598987537281187840 deny ip from any to 255.255.255.255:30.6.0.0 ipopt ssrr,!ssrr,lsrr,rr,!rr,!ts tcpflg fin,!fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg 00774 5399280697212928 0 deny ip from a.b.c.202 to 0.0.0.0:30.6.0.0 ipopt ssrr,!ssrr,lsrr,rr,!rr,!ts tcpflg fin,!fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg 00774 58627978627645440 14671045131319115776 deny ip from any to 255.255.255.255:31.6.0.0 ipopt ssrr,!lsrr,!rr,ts tcpflg !fin,syn,!syn,rst,psh,!psh,!ack,urg,!urg (IP's semi-changed to protect the innocent) The stranger part, these rules are no longer present on the firewall! I'm running FreeBSD 3.4-RELEASE and snort 1.7. I looked briefly through the snort source to see if it add these rules automagically but it doesn't seem so (nor does it make sense). Aside from the entries appearing magically themselves, the high byte counts bother me more. Checking our mrtg graphs don't show an increase in utilization our T1s, and none of our systems show any evidence of strange activity. Has anyone seen this before? Ideas? Clues? :) Thanks Matthew -- Matthew Asham, VE7UDP Left Coast Systems Corp, SuperWebhost.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- strange firewall rules, messing with snort Matthew Asham (Jun 19)