Snort mailing list archives

Previous By Date Next
Previous By Thread Next

not allowed traffic in the Intranet [RMC-VUCLPP3]

From: "Romulo M. Cholewa" <rmc () rmc eti br>
Date: Tue, 4 Feb 2003 12:08:32 -0300
Hi all,

I recently received some alerts that disturbed me. I would like to confirm it as a bug (it can't be a 
misconfiguration). It could be a snort bug (almost discarded) or simply a ZoneAlarm bug.

My "firewall" provides Internet access through Windows 2K NAT (W2K SP3 All HFs) and has two interfaces. An external one 
(192.168.7.254) and a local one (10.255.255.254).

The external interface is connected to an ADSL modem (Allied Data Tech CJ810) also with NAT enabled. It has some 
portmappings to 192.168.7.254 (firewall, wich portmaps 21, 25, 80, 443, and some other ports, but NOT 137 / 139 / 445).

The firewall is running ZoneAlarm Pro latest version. Internet zone set to high, trusted zone set to med (IPsec is used 
in the intranet).

My webserver is 10.255.255.253 (remember: the ADSL modem portmaps port 80 to 192.168.7.254, and the firewall portmaps 
it to 10.255.255.253). NO OTHER ports are portmapped. snort, running on the webserver, detected a netbios name query 
from an IP address on... the internet! (???)

How could that be ?

I can think of only one thing. This is a reply traffic (my server did a name query, and simply received the answer). 
Since ZoneAlarm is configured to high for the internet traffic, it would not allow netbios traffic, but it did.

I would like to hear some comments. I'm almost sure this is a ZA Pro bug, and I want to submit it.

Thanks in advance,

Romulo M. Cholewa
Home : http://www.rmc.eti.br
Forum: http://zeus.rmc.eti.br/forum
PGP Keys Available @ website.

    'Art is the only way to run away without leaving home.' -    
                           Twyla Tharp                           
                                                                 
                                                                 


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: