Re: Scary Hole in the Firewall?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Monday 19 July 2004 8:29 pm, David Cary Hart wrote:

> Platform = Fedora 2
> IPTables firewall. Snort running inside the firewall.
>
> Here's the log entry. This is the default log entry prior to DROP. In
> other words, what gets logged, gets dropped.
>
> Jul 19 14:32:39 mail kernel: DEFAULT - Firewall: IN=eth0 OUT=
> MAC=00:4f:4e:12:f9:93:00:09:5b:c9:37:54:08:00 SRC=203.202.150.156
> DST=192.168.0.31 LEN=404 TOS=0x00 PREC=0x00 TTL=111 ID=4719 PROTO=UDP
> SPT=1042 DPT=1434 LEN=384
>
> Here's the Snort log:
>
> [**] MS-SQL Worm propagation attempt [**]
> 07/19-14:32:39.314347 203.202.150.156:1042 -> 192.168.0.31:1434
> UDP TTL:111 TOS:0x0 ID:4719 IpLen:20 DgmLen:404
> Len: 376
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> [**] MS-SQL version overflow attempt [**]
> 07/19-14:32:39.314347 203.202.150.156:1042 -> 192.168.0.31:1434
> UDP TTL:111 TOS:0x0 ID:4719 IpLen:20 DgmLen:404
> Len: 376
>
> Now what?

Well, without seeing your firewall ruleset, we can't offer much advice about 
why this packet got caught by snort.

Also, where is eth0 on your firewall?   Inside or outside?   I notice that the 
log entry says it came in on eth0 but didn't go out, therefore it's not being 
routed....

Regards,

Antony.

-- 
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux