* Scary Hole in the Firewall?
@ 2004-07-19 19:29 David Cary Hart
2004-07-19 19:42 ` Aleksandar Milivojevic
2004-07-19 19:50 ` Antony Stone
0 siblings, 2 replies; 4+ messages in thread
From: David Cary Hart @ 2004-07-19 19:29 UTC (permalink / raw)
To: netfilter
Platform = Fedora 2
IPTables firewall. Snort running inside the firewall.
Here's the log entry. This is the default log entry prior to DROP. In
other words, what gets logged, gets dropped.
Jul 19 14:32:39 mail kernel: DEFAULT - Firewall: IN=eth0 OUT=
MAC=00:4f:4e:12:f9:93:00:09:5b:c9:37:54:08:00 SRC=203.202.150.156
DST=192.168.0.31 LEN=404 TOS=0x00 PREC=0x00 TTL=111 ID=4719 PROTO=UDP
SPT=1042 DPT=1434 LEN=384
Here's the Snort log:
[**] MS-SQL Worm propagation attempt [**]
07/19-14:32:39.314347 203.202.150.156:1042 -> 192.168.0.31:1434
UDP TTL:111 TOS:0x0 ID:4719 IpLen:20 DgmLen:404
Len: 376
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] MS-SQL version overflow attempt [**]
07/19-14:32:39.314347 203.202.150.156:1042 -> 192.168.0.31:1434
UDP TTL:111 TOS:0x0 ID:4719 IpLen:20 DgmLen:404
Len: 376
Now what?
--
David Cary Hart
Hart's PGP key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x58A60BB1
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Scary Hole in the Firewall?
2004-07-19 19:29 Scary Hole in the Firewall? David Cary Hart
@ 2004-07-19 19:42 ` Aleksandar Milivojevic
[not found] ` <1090266741.11052.12.camel@dchws.tqmcube.com>
2004-07-19 19:50 ` Antony Stone
1 sibling, 1 reply; 4+ messages in thread
From: Aleksandar Milivojevic @ 2004-07-19 19:42 UTC (permalink / raw)
To: NetFilter List
David Cary Hart wrote:
> Platform = Fedora 2
> IPTables firewall. Snort running inside the firewall.
Question. Iniside firewall as in "on separate machine inside firewall",
or as in "on the same machine as firewall"?
In former case, it might as well be that the packet you are seeing had
spoofed IP address, and that it originated inside your network. Is eth0
on your LAN or outside. Another case could be that you have ommision in
firewall rules (so that "what is logged is not always dropped").
In later case, what you are seeing is what you were supposed to see (if
I'm correct on how snort works, by sniffig network traffic directly from
the network interface).
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Scary Hole in the Firewall?
2004-07-19 19:29 Scary Hole in the Firewall? David Cary Hart
2004-07-19 19:42 ` Aleksandar Milivojevic
@ 2004-07-19 19:50 ` Antony Stone
1 sibling, 0 replies; 4+ messages in thread
From: Antony Stone @ 2004-07-19 19:50 UTC (permalink / raw)
To: NetFilter List
On Monday 19 July 2004 8:29 pm, David Cary Hart wrote:
> Platform = Fedora 2
> IPTables firewall. Snort running inside the firewall.
>
> Here's the log entry. This is the default log entry prior to DROP. In
> other words, what gets logged, gets dropped.
>
> Jul 19 14:32:39 mail kernel: DEFAULT - Firewall: IN=eth0 OUT=
> MAC=00:4f:4e:12:f9:93:00:09:5b:c9:37:54:08:00 SRC=203.202.150.156
> DST=192.168.0.31 LEN=404 TOS=0x00 PREC=0x00 TTL=111 ID=4719 PROTO=UDP
> SPT=1042 DPT=1434 LEN=384
>
> Here's the Snort log:
>
> [**] MS-SQL Worm propagation attempt [**]
> 07/19-14:32:39.314347 203.202.150.156:1042 -> 192.168.0.31:1434
> UDP TTL:111 TOS:0x0 ID:4719 IpLen:20 DgmLen:404
> Len: 376
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> [**] MS-SQL version overflow attempt [**]
> 07/19-14:32:39.314347 203.202.150.156:1042 -> 192.168.0.31:1434
> UDP TTL:111 TOS:0x0 ID:4719 IpLen:20 DgmLen:404
> Len: 376
>
> Now what?
Well, without seeing your firewall ruleset, we can't offer much advice about
why this packet got caught by snort.
Also, where is eth0 on your firewall? Inside or outside? I notice that the
log entry says it came in on eth0 but didn't go out, therefore it's not being
routed....
Regards,
Antony.
--
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Scary Hole in the Firewall?
[not found] ` <1090266741.11052.12.camel@dchws.tqmcube.com>
@ 2004-07-19 20:01 ` Aleksandar Milivojevic
0 siblings, 0 replies; 4+ messages in thread
From: Aleksandar Milivojevic @ 2004-07-19 20:01 UTC (permalink / raw)
To: Netfilter User Mailinglist
David Cary Hart wrote:
> On Mon, 2004-07-19 at 15:42, Aleksandar Milivojevic wrote:
>>Question. Iniside firewall as in "on separate machine inside firewall",
>>or as in "on the same machine as firewall"?
>
> -snip-
>
>>In later case, what you are seeing is what you were supposed to see (if
>>I'm correct on how snort works, by sniffig network traffic directly from
>>the network interface).
>
> Same machine. I think that Snort only sees what gets through the
> firewall.
Actually, if Snort is sniffing traffic directly on the network interface
(like tcpdump or ethereal), than it will see the packets as they arrive
on the wire (before Netfilter can filter them out).
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-07-19 20:01 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-19 19:29 Scary Hole in the Firewall? David Cary Hart
2004-07-19 19:42 ` Aleksandar Milivojevic
[not found] ` <1090266741.11052.12.camel@dchws.tqmcube.com>
2004-07-19 20:01 ` Aleksandar Milivojevic
2004-07-19 19:50 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.