Solved

Firewall "Attack" Audits

Posted on 2012-03-09
4
1,120 Views
Last Modified: 2012-06-21
Hi all,

I've recently taken over as the firewall administrator for my network and I am constantly seeing "Attacks" on the Sidewinder Admin Console Dashboard. Every minute I'll get about 50 or so Audits that look like this:

pid: 1489 ruid: 0 euid: 0 pgid: 1489 logid: 0 cmd: 'httpp'
domian: htpp edomian: htpp hostname: myfirewall
category: protocol_violation event: unrequested server input
netsessid: SessionIDNumber srcip: internalIPaddress srcport: highport#
scrburb: internal dst_local_port: 80 protocol: 6 src_local_port:0
dstip: externalIPAdress dstport: 80 dstburb: external attackip: externalIPAdress
attackburb: external reason: Server input not requested by the client.

The source IP addresses are my internal clients and the destination IPs are from a lot of different places, however one range of IPs that comes up a lot is registered to Global Crossing according to dnsstuff.com (example: 64.215.158.24).

Can anyone shed light on what's going on here?  It's happening to multiple client machines, some of which are a brand new install.

Thanks in advance!

Josh
0
Comment
Question by:Osiris42
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 167 total points
ID: 37704969
Perhaps scan them with an offline AV scanner like M$'s: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
That makes sure any rootkits or nasties are not loaded as you're running off the CD/DVD instead of the OS on the HD. If your internal IP's are "attacking" outside IP's then you should scan them for infection. Brand-new installs can be infected very quickly if you have a host internally that is looking to spread. Start there, and at the same time see if you can narrow down the IP's to legit traffic, perhaps your firewall is having a False Positive on these alerts.
-rich
0
 
LVL 63

Assisted Solution

by:btan
btan earned 167 total points
ID: 37705073
Looks.like likely the client should not be going to that ip.address as it is blacklisted
 http://www.robtex.com/ip/64.215.158.24.html
And if the rate of traffic from.each client is deem from being a human behaviour browsing, probably some automated malware is already hard at work...as of now, as mentioned by rich have those client checked, hopefully it is not dhcp but then has to traced back and isolate them esp new deployed one. How would they spread so far, storage affected, common file share, peer to peer scanning of null shares etc. I knew of a rampage of dnschanger recently...
0
 
LVL 5

Assisted Solution

by:andrew1812
andrew1812 earned 166 total points
ID: 37706286
You could use a protocol analyzer, and check for the source mac-address in the frame of these malicious packets .This would help you to identify the actual system/systems from which the malware is getting triggered.
0
 

Author Comment

by:Osiris42
ID: 37716621
Thanks for the info everyone.  I ran the offline virus scan on a few of the computers I was seeing in the logs and they all came up clean.  I also just got McAfee HIPS working on my clients and that has stopped the traffic from getting to the firewall.  I haven't had a chance to review the IPS logs on each machine yet, but that should give me a clue about what that traffic is and why it's happening.  

I'll post again when I figure something out.

Thanks again!

Josh
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question