Thread Info
  • State Not Answered
  • Replies 13 replies
  • Subscribers 0 subscribers
  • Views 1628 views
  • Users 0 members are here
Options
Suggested

[7.880][BUG][OPEN] Maybe ATA responding to traffic outside of range

RFCat_vk_01
Hi,
last night I ran a security scan of my ASG.
Turned up some interesting results, but I don't get see some of them unless I pay money.

The one that does interest me and causes me some concern is SIP report.

I have SIP security enabled and sites that the ATAs can talk to as part of the setup.
The security scan site is not in the IP range allowed into or out of the ASG for VoIP traffic, so why was the security scan able to talk to and get one of my ATAs to respond to it. I know this limiting access used to work under previous versions.

Ian M
Parents Reply Children
  • 0 in reply to RFCat_vk_01
    Extract from the IPS log. There is a series of these about 20-30.

    2010:03:11-00:21:11 fw1-on-house ulogd[4301]:  id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="ppp0" srcip="69.28.227.213" dstip="210.84.48.58" proto="1" length="528" tos="0x08" prec="0x20" ttl="43" type="9" code="0" 
    2010:03:11-00:21:11 fw1-on-house ulogd[4301]:  id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="ppp0" srcip="69.28.227.213" dstip="210.84.48.58" proto="1" length="528" tos="0x08" prec="0x20" ttl="43" type="9" code="0"

    2010:03:10-22:33:16 fw1-on-house ulogd[4301]:  id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="ppp0" srcip="69.28.227.213" dstip="210.84.48.58" proto="6" length="60" tos="0x08" prec="0x20" ttl="43" srcport="34974" dstport="69" tcpflags="SYN" 
    2010:03:10-23:24:46 fw1-on-house snort[5320]:  id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="" reason="(spo_bo) Back Orifice Traffic detected" group="0" srcip="69.28.227.213" dstip="192.168.10.249" proto="17" srcport="60890" dstport="51413" sid="0" class="A Network Trojan was detected" priority="1"  generator="105" msgid="1"
    The last one in this sequence intrigues me. I haven't had that workstation powered on for over a month now and I see these attack every so often.

    By the way nothing shows in yesterdays IPS report.

    More data to come.

    2010:03:10-22:30:12 fw1-on-house ulogd[4301]:  id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="ppp0" srcip="69.28.227.213" dstip="210.84.48.58" proto="6" length="60" tos="0x08" prec="0x20" ttl="43" srcport="52965" dstport="11" tcpflags="SYN" 
    2010:03:10-22:30:12 fw1-on-house ulogd[4301]:  id="2103" severity="info" sys="SecureNet" sub="ips" name="SYN flood detected" action="SYN flood" fwrule="60012" initf="ppp0" srcip="69.28.227.213" dstip="210.84.48.58" proto="6" length="60" tos="0x08" prec="0x20" ttl="43" srcport="48337" dstport="44" tcpflags="SYN"I hope that that is sufficient to prove your point.
Cookie Information Banner