Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Firewall "Attack" Audits

Posted on 2012-03-09
4
Medium Priority
?
1,153 Views
Last Modified: 2012-06-21
Hi all,

I've recently taken over as the firewall administrator for my network and I am constantly seeing "Attacks" on the Sidewinder Admin Console Dashboard. Every minute I'll get about 50 or so Audits that look like this:

pid: 1489 ruid: 0 euid: 0 pgid: 1489 logid: 0 cmd: 'httpp'
domian: htpp edomian: htpp hostname: myfirewall
category: protocol_violation event: unrequested server input
netsessid: SessionIDNumber srcip: internalIPaddress srcport: highport#
scrburb: internal dst_local_port: 80 protocol: 6 src_local_port:0
dstip: externalIPAdress dstport: 80 dstburb: external attackip: externalIPAdress
attackburb: external reason: Server input not requested by the client.

The source IP addresses are my internal clients and the destination IPs are from a lot of different places, however one range of IPs that comes up a lot is registered to Global Crossing according to dnsstuff.com (example: 64.215.158.24).

Can anyone shed light on what's going on here?  It's happening to multiple client machines, some of which are a brand new install.

Thanks in advance!

Josh
0
Comment
Question by:Osiris42
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 501 total points
ID: 37704969
Perhaps scan them with an offline AV scanner like M$'s: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
That makes sure any rootkits or nasties are not loaded as you're running off the CD/DVD instead of the OS on the HD. If your internal IP's are "attacking" outside IP's then you should scan them for infection. Brand-new installs can be infected very quickly if you have a host internally that is looking to spread. Start there, and at the same time see if you can narrow down the IP's to legit traffic, perhaps your firewall is having a False Positive on these alerts.
-rich
0
 
LVL 64

Assisted Solution

by:btan
btan earned 501 total points
ID: 37705073
Looks.like likely the client should not be going to that ip.address as it is blacklisted
 http://www.robtex.com/ip/64.215.158.24.html
And if the rate of traffic from.each client is deem from being a human behaviour browsing, probably some automated malware is already hard at work...as of now, as mentioned by rich have those client checked, hopefully it is not dhcp but then has to traced back and isolate them esp new deployed one. How would they spread so far, storage affected, common file share, peer to peer scanning of null shares etc. I knew of a rampage of dnschanger recently...
0
 
LVL 5

Assisted Solution

by:andrew1812
andrew1812 earned 498 total points
ID: 37706286
You could use a protocol analyzer, and check for the source mac-address in the frame of these malicious packets .This would help you to identify the actual system/systems from which the malware is getting triggered.
0
 

Author Comment

by:Osiris42
ID: 37716621
Thanks for the info everyone.  I ran the offline virus scan on a few of the computers I was seeing in the logs and they all came up clean.  I also just got McAfee HIPS working on my clients and that has stopped the traffic from getting to the firewall.  I haven't had a chance to review the IPS logs on each machine yet, but that should give me a clue about what that traffic is and why it's happening.  

I'll post again when I figure something out.

Thanks again!

Josh
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
How does someone stay on the right and legal side of the hacking world?
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question