Solved

Firewall "Attack" Audits

Posted on 2012-03-09
4
1,100 Views
Last Modified: 2012-06-21
Hi all,

I've recently taken over as the firewall administrator for my network and I am constantly seeing "Attacks" on the Sidewinder Admin Console Dashboard. Every minute I'll get about 50 or so Audits that look like this:

pid: 1489 ruid: 0 euid: 0 pgid: 1489 logid: 0 cmd: 'httpp'
domian: htpp edomian: htpp hostname: myfirewall
category: protocol_violation event: unrequested server input
netsessid: SessionIDNumber srcip: internalIPaddress srcport: highport#
scrburb: internal dst_local_port: 80 protocol: 6 src_local_port:0
dstip: externalIPAdress dstport: 80 dstburb: external attackip: externalIPAdress
attackburb: external reason: Server input not requested by the client.

The source IP addresses are my internal clients and the destination IPs are from a lot of different places, however one range of IPs that comes up a lot is registered to Global Crossing according to dnsstuff.com (example: 64.215.158.24).

Can anyone shed light on what's going on here?  It's happening to multiple client machines, some of which are a brand new install.

Thanks in advance!

Josh
0
Comment
Question by:Osiris42
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 167 total points
ID: 37704969
Perhaps scan them with an offline AV scanner like M$'s: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
That makes sure any rootkits or nasties are not loaded as you're running off the CD/DVD instead of the OS on the HD. If your internal IP's are "attacking" outside IP's then you should scan them for infection. Brand-new installs can be infected very quickly if you have a host internally that is looking to spread. Start there, and at the same time see if you can narrow down the IP's to legit traffic, perhaps your firewall is having a False Positive on these alerts.
-rich
0
 
LVL 61

Assisted Solution

by:btan
btan earned 167 total points
ID: 37705073
Looks.like likely the client should not be going to that ip.address as it is blacklisted
 http://www.robtex.com/ip/64.215.158.24.html
And if the rate of traffic from.each client is deem from being a human behaviour browsing, probably some automated malware is already hard at work...as of now, as mentioned by rich have those client checked, hopefully it is not dhcp but then has to traced back and isolate them esp new deployed one. How would they spread so far, storage affected, common file share, peer to peer scanning of null shares etc. I knew of a rampage of dnschanger recently...
0
 
LVL 5

Assisted Solution

by:andrew1812
andrew1812 earned 166 total points
ID: 37706286
You could use a protocol analyzer, and check for the source mac-address in the frame of these malicious packets .This would help you to identify the actual system/systems from which the malware is getting triggered.
0
 

Author Comment

by:Osiris42
ID: 37716621
Thanks for the info everyone.  I ran the offline virus scan on a few of the computers I was seeing in the logs and they all came up clean.  I also just got McAfee HIPS working on my clients and that has stopped the traffic from getting to the firewall.  I haven't had a chance to review the IPS logs on each machine yet, but that should give me a clue about what that traffic is and why it's happening.  

I'll post again when I figure something out.

Thanks again!

Josh
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now