I am using a Smoothwall Express firewall with Red, Orange and Green interfaces. Since last Saturday I am getting a lot of traffic that is generating from my Red interface. My SNORT IDS log looks like the following:
Date: 07/27 08:48:13 Name: (http_inspect) NON-RFC HTTP DELIMITER Priority: n/a Type: n/a IP info: my_external_ip:37311 -> 216.200.108.248:80 Date: 07/27 09:19:49 Name: (http_inspect) DOUBLE DECODING ATTACK Priority: n/a Type: n/a IP info: my_external_ip:38382 -> 64.4.61.250:80 Date: 07/27 09:20:01 Name: (http_inspect) BARE BYTE UNICODE ENCODING Priority: n/a Type: n/a IP info: my_external_ip:38400 -> 38.118.85.26:80 At first I thought, I probably had a windows client, infected with spyware, sitting in the green zone generating all these traffic. Then I realized SNORT would log the IP of the windows client not my_external_ip. I tried netstat, tcpdump, ps to see anything unusual but did not find anything. I tried the Smoothwall forum, and Google-did not find anything helpful. Does anyone have any idea what is happening? Thanks, Nash -------------- next part -------------- An HTML attachment was scrubbed... URL: /pipermail/general_brlug.net/attachments/20050727/175bf34f/attachment.htm From [EMAIL PROTECTED] Wed Jul 27 10:18:34 2005 From: [EMAIL PROTECTED] (Shannon Roddy) Date: Wed Jul 27 10:18:12 2005 Subject: [brlug-general] Smoothwall Express In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> I get hundreds of those same alerts a day on my work LAN/WAN connection. I have not had a chance to pour through the snort alerts in detail, but my suspicion is that those particular triggers are generally false alarms. (and/or things that should already be patched.) I get a bit more concerned when I see actual spyware signatures, virus signatures, trojan sigs, etc. rather than the generic stuff. You might want to look at bleedingsnort.org and try their rules. It is amazing what the rules will pick up. not sure how you would go about installing the bleeding-snort rules on smoothwall. Shannon On 7/27/05, Nashid Hasan <[EMAIL PROTECTED]> wrote: > > > > I am using a Smoothwall Express firewall with Red, Orange and Green > interfaces. Since last Saturday I am getting a lot of traffic that is > generating from my Red interface. My SNORT IDS log looks like the following: > > > > Date: 07/27 08:48:13 Name: (http_inspect) NON-RFC HTTP DELIMITER > > Priority: n/a Type: n/a > > IP info: my_external_ip:37311 -> 216.200.108.248:80 > > > > > > Date: 07/27 09:19:49 Name: (http_inspect) DOUBLE DECODING ATTACK > > Priority: n/a Type: n/a > > IP info: my_external_ip:38382 -> 64.4.61.250:80 > > > > > > Date: 07/27 09:20:01 Name: (http_inspect) BARE BYTE UNICODE ENCODING > > Priority: n/a Type: n/a > > IP info: my_external_ip:38400 -> 38.118.85.26:80 > > > > > > At first I thought, I probably had a windows client, infected with spyware, > sitting in the green zone generating all these traffic. Then I realized > SNORT would log the IP of the windows client not my_external_ip. I tried > netstat, tcpdump, ps to see anything unusual but did not find anything. > > > > > > I tried the Smoothwall forum, and Google?did not find anything helpful. > > > > > > Does anyone have any idea what is happening? > > > > > > Thanks, > > > > Nash > > > _______________________________________________ > General mailing list > [email protected] > http://brlug.net/mailman/listinfo/general_brlug.net > > > From [EMAIL PROTECTED] Wed Jul 27 11:03:41 2005 From: [EMAIL PROTECTED] (Karthik Poobalasubramanian) Date: Wed Jul 27 11:03:25 2005 Subject: [brlug-general] Smoothwall Express In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Message-ID: <200507271103.01583.Karthik Poobalasubramanian <Karthik Poobalasubramanian>> Hasan, I haven't used smoothwall but those entries look like some http requests to websites. The reverse DNS on 216.200.108.248 shows that its blackboard(LSU?) and the seond one is hotmail. I am not sure about the third one but there is a website hosted with that ip. -- Karthik Poobalasubramanian [EMAIL PROTECTED] On 07/27/2005 09:58 am, Nashid Hasan wrote: > I am using a Smoothwall Express firewall with Red, Orange and Green > interfaces. Since last Saturday I am getting a lot of traffic that is > generating from my Red interface. My SNORT IDS log looks like the > following: > > > > Date: 07/27 08:48:13 Name: (http_inspect) NON-RFC HTTP DELIMITER > > Priority: n/a Type: n/a > > IP info: my_external_ip:37311 -> 216.200.108.248:80 > > > > > > Date: 07/27 09:19:49 Name: (http_inspect) DOUBLE DECODING ATTACK > > Priority: n/a Type: n/a > > IP info: my_external_ip:38382 -> 64.4.61.250:80 > > > > > > Date: 07/27 09:20:01 Name: (http_inspect) BARE BYTE UNICODE ENCODING > > Priority: n/a Type: n/a > > IP info: my_external_ip:38400 -> 38.118.85.26:80 > > > > > > At first I thought, I probably had a windows client, infected with spyware, > sitting in the green zone generating all these traffic. Then I realized > SNORT would log the IP of the windows client not my_external_ip. I tried > netstat, tcpdump, ps to see anything unusual but did not find anything. > > > > > > I tried the Smoothwall forum, and Google-did not find anything helpful. > > > > > > Does anyone have any idea what is happening? > > > > > > Thanks, > > > > Nash -- Karthik Poobalasubramanian [EMAIL PROTECTED]
