Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Firewall "Attack" Audits

Posted on 2012-03-09
4
Medium Priority
?
1,159 Views
Last Modified: 2012-06-21
Hi all,

I've recently taken over as the firewall administrator for my network and I am constantly seeing "Attacks" on the Sidewinder Admin Console Dashboard. Every minute I'll get about 50 or so Audits that look like this:

pid: 1489 ruid: 0 euid: 0 pgid: 1489 logid: 0 cmd: 'httpp'
domian: htpp edomian: htpp hostname: myfirewall
category: protocol_violation event: unrequested server input
netsessid: SessionIDNumber srcip: internalIPaddress srcport: highport#
scrburb: internal dst_local_port: 80 protocol: 6 src_local_port:0
dstip: externalIPAdress dstport: 80 dstburb: external attackip: externalIPAdress
attackburb: external reason: Server input not requested by the client.

The source IP addresses are my internal clients and the destination IPs are from a lot of different places, however one range of IPs that comes up a lot is registered to Global Crossing according to dnsstuff.com (example: 64.215.158.24).

Can anyone shed light on what's going on here?  It's happening to multiple client machines, some of which are a brand new install.

Thanks in advance!

Josh
0
Comment
Question by:Osiris42
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 501 total points
ID: 37704969
Perhaps scan them with an offline AV scanner like M$'s: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
That makes sure any rootkits or nasties are not loaded as you're running off the CD/DVD instead of the OS on the HD. If your internal IP's are "attacking" outside IP's then you should scan them for infection. Brand-new installs can be infected very quickly if you have a host internally that is looking to spread. Start there, and at the same time see if you can narrow down the IP's to legit traffic, perhaps your firewall is having a False Positive on these alerts.
-rich
0
 
LVL 65

Assisted Solution

by:btan
btan earned 501 total points
ID: 37705073
Looks.like likely the client should not be going to that ip.address as it is blacklisted
 http://www.robtex.com/ip/64.215.158.24.html
And if the rate of traffic from.each client is deem from being a human behaviour browsing, probably some automated malware is already hard at work...as of now, as mentioned by rich have those client checked, hopefully it is not dhcp but then has to traced back and isolate them esp new deployed one. How would they spread so far, storage affected, common file share, peer to peer scanning of null shares etc. I knew of a rampage of dnschanger recently...
0
 
LVL 5

Assisted Solution

by:andrew1812
andrew1812 earned 498 total points
ID: 37706286
You could use a protocol analyzer, and check for the source mac-address in the frame of these malicious packets .This would help you to identify the actual system/systems from which the malware is getting triggered.
0
 

Author Comment

by:Osiris42
ID: 37716621
Thanks for the info everyone.  I ran the offline virus scan on a few of the computers I was seeing in the logs and they all came up clean.  I also just got McAfee HIPS working on my clients and that has stopped the traffic from getting to the firewall.  I haven't had a chance to review the IPS logs on each machine yet, but that should give me a clue about what that traffic is and why it's happening.  

I'll post again when I figure something out.

Thanks again!

Josh
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question