Solved

Intrusion Prevention Alert ICMP

Posted on 2007-11-21
9
2,859 Views
Last Modified: 2012-06-22
I have a few campuses logging the following alert on their sonicwall firewall:

11/19/2007 22:43:21.384 - Alert - Intrusion Prevention -    IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable), SID: 310, Priority: Low -   64.154.19.23, 53, WAN -     192.168.21.203, 1036, LAN, domaincontroller.ourdomain.com

I cannot find any information on this destination IP 64.154.19.23, except that its owned by Level3??  No reverse pointer, A, MX, NS or other DNS entry??

Each campus logging this alert to this IP is having it originate from their DC (Server 2003).  All just started since Monday this week.  Anyone have some data on what this IP device is?  Or why this is coming from our DCs?  All our DCs are setup to forward DNS requests to our ISPs.

Thanks,
0
Comment
Question by:quinnwyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329136
Do you run DNS on the DC's?
0
 
LVL 12

Accepted Solution

by:
bhnmi earned 300 total points
ID: 20329144
They are DNS packets I am sure I have similar entries in my logs as well.
0
 

Author Comment

by:quinnwyo
ID: 20329406
Yes DNS on the DCs, but I have forwarders setup on them pointing to our ISPs DNS.  I assume the only traffic from my DCs, destined for an external IP would be to our ISPs DNS - two entries.  If the forwarders do not respond/resolve the domain name requested, the request should die and stop looking any further, correct??
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:quinnwyo
ID: 20329419
Each campus uses a different ISP BTW.  Strange how these alerts are showing up as destined to the same IP??
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329479
Might be top level server at level 3.
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329490
This is what I get all the time

1/21/2007 09:29:59.096 -       IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable), SID: 310, Priority: Low -       66.45.254.244, 53, WAN -       192.168.1.19, 1058, LAN, server.mydomain.local -
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 20329496
:P the data is today I cut off a 1.
0
 

Author Comment

by:quinnwyo
ID: 20329616
Not a big deal but one of my campuses was getting this alert like 300 times in a 48 hour window.
0
 
LVL 10

Assisted Solution

by:budchawla
budchawla earned 200 total points
ID: 20330280
Sometimes I find that SonicWALLs tend to log a lot of pretty benign stuff as alerts... IMHO this is one of those cases. I turn off IPS detection for SID 310... you can decide whether that works for you or not, and whether to leave prevention enabled or not.

Most of our sites have site-site VPNs and we constantly get these alerts even over VPN traffic, so I actually tend to disable detection & prevention. Note that this doesn't mean that your firewall will start respoding to pings from the internet!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question