Scary Hole in the Firewall?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Platform = Fedora 2
IPTables firewall. Snort running inside the firewall.

Here's the log entry. This is the default log entry prior to DROP. In
other words, what gets logged, gets dropped.

Jul 19 14:32:39 mail kernel: DEFAULT - Firewall: IN=eth0 OUT=
MAC=00:4f:4e:12:f9:93:00:09:5b:c9:37:54:08:00 SRC=203.202.150.156
DST=192.168.0.31 LEN=404 TOS=0x00 PREC=0x00 TTL=111 ID=4719 PROTO=UDP
SPT=1042 DPT=1434 LEN=384 

Here's the Snort log:

[**] MS-SQL Worm propagation attempt [**]
07/19-14:32:39.314347 203.202.150.156:1042 -> 192.168.0.31:1434
UDP TTL:111 TOS:0x0 ID:4719 IpLen:20 DgmLen:404
Len: 376
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] MS-SQL version overflow attempt [**]
07/19-14:32:39.314347 203.202.150.156:1042 -> 192.168.0.31:1434
UDP TTL:111 TOS:0x0 ID:4719 IpLen:20 DgmLen:404
Len: 376

Now what?

-- 
                            David Cary Hart
                                                         Hart's PGP key:
            http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x58A60BB1
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux