Firewall "Attack" Audits
Posted on 2012-03-09
I've recently taken over as the firewall administrator for my network and I am constantly seeing "Attacks" on the Sidewinder Admin Console Dashboard. Every minute I'll get about 50 or so Audits that look like this:
pid: 1489 ruid: 0 euid: 0 pgid: 1489 logid: 0 cmd: 'httpp'
domian: htpp edomian: htpp hostname: myfirewall
category: protocol_violation event: unrequested server input
netsessid: SessionIDNumber srcip: internalIPaddress srcport: highport#
scrburb: internal dst_local_port: 80 protocol: 6 src_local_port:0
dstip: externalIPAdress dstport: 80 dstburb: external attackip: externalIPAdress
attackburb: external reason: Server input not requested by the client.
The source IP addresses are my internal clients and the destination IPs are from a lot of different places, however one range of IPs that comes up a lot is registered to Global Crossing according to dnsstuff.com (example: 18.104.22.168).
Can anyone shed light on what's going on here? It's happening to multiple client machines, some of which are a brand new install.
Thanks in advance!