Solved

Firewall "Attack" Audits

Posted on 2012-03-09
4
1,142 Views
Last Modified: 2012-06-21
Hi all,

I've recently taken over as the firewall administrator for my network and I am constantly seeing "Attacks" on the Sidewinder Admin Console Dashboard. Every minute I'll get about 50 or so Audits that look like this:

pid: 1489 ruid: 0 euid: 0 pgid: 1489 logid: 0 cmd: 'httpp'
domian: htpp edomian: htpp hostname: myfirewall
category: protocol_violation event: unrequested server input
netsessid: SessionIDNumber srcip: internalIPaddress srcport: highport#
scrburb: internal dst_local_port: 80 protocol: 6 src_local_port:0
dstip: externalIPAdress dstport: 80 dstburb: external attackip: externalIPAdress
attackburb: external reason: Server input not requested by the client.

The source IP addresses are my internal clients and the destination IPs are from a lot of different places, however one range of IPs that comes up a lot is registered to Global Crossing according to dnsstuff.com (example: 64.215.158.24).

Can anyone shed light on what's going on here?  It's happening to multiple client machines, some of which are a brand new install.

Thanks in advance!

Josh
0
Comment
Question by:Osiris42
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 167 total points
ID: 37704969
Perhaps scan them with an offline AV scanner like M$'s: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
That makes sure any rootkits or nasties are not loaded as you're running off the CD/DVD instead of the OS on the HD. If your internal IP's are "attacking" outside IP's then you should scan them for infection. Brand-new installs can be infected very quickly if you have a host internally that is looking to spread. Start there, and at the same time see if you can narrow down the IP's to legit traffic, perhaps your firewall is having a False Positive on these alerts.
-rich
0
 
LVL 64

Assisted Solution

by:btan
btan earned 167 total points
ID: 37705073
Looks.like likely the client should not be going to that ip.address as it is blacklisted
 http://www.robtex.com/ip/64.215.158.24.html
And if the rate of traffic from.each client is deem from being a human behaviour browsing, probably some automated malware is already hard at work...as of now, as mentioned by rich have those client checked, hopefully it is not dhcp but then has to traced back and isolate them esp new deployed one. How would they spread so far, storage affected, common file share, peer to peer scanning of null shares etc. I knew of a rampage of dnschanger recently...
0
 
LVL 5

Assisted Solution

by:andrew1812
andrew1812 earned 166 total points
ID: 37706286
You could use a protocol analyzer, and check for the source mac-address in the frame of these malicious packets .This would help you to identify the actual system/systems from which the malware is getting triggered.
0
 

Author Comment

by:Osiris42
ID: 37716621
Thanks for the info everyone.  I ran the offline virus scan on a few of the computers I was seeing in the logs and they all came up clean.  I also just got McAfee HIPS working on my clients and that has stopped the traffic from getting to the firewall.  I haven't had a chance to review the IPS logs on each machine yet, but that should give me a clue about what that traffic is and why it's happening.  

I'll post again when I figure something out.

Thanks again!

Josh
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Read about achieving the basic levels of HRIS security in the workplace.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question