For the last 3 days I have been getting constant Intrusion alerts as listed below. The strange parts:
1. I have turned off ALL notifications in Network Security --> Intrusion Protection --> Attack Patterns yesterday.
2. The notifications are hours old by the time I get the emails. I purposely botched my admin password on sign in which always sends an email and it comes through instantly, so I'm not sure why the IPS messages are hours behind.
3. Up until this started, I would never get any of the automated back up messages or the daily reports I had set up. Since this all started the messages are now coming in on time.
The IPS log Shows the following:
2007:11:02-13:58:42 (none) barnyard[12898]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="192.168.5.166" dstip="207.46.209.246" proto="6" srcport="49626" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
2007:11:02-14:17:56 (none) barnyard[12898]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="69.125.151.253" dstip="64.152.59.165" proto="6" srcport="34498" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
2007:11:02-14:41:41 (none) barnyard[12898]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="192.168.5.126" dstip="216.52.17.134" proto="6" srcport="49221" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
2007:11:02-14:41:58 (none) ulogd[2514]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" dstmac="**mac address removed**" srcmac="="**mac address removed**" " srcip="90.201.89.17" dstip="69.125.151.253" proto="1" length="140" tos="0x00" prec="0x00" ttl="52" type="3" code="1"
2007:11:02-14:45:08 (none) ulogd[2514]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" dstmac="="**mac address removed**" " srcmac="="**mac address removed**" " srcip="90.201.89.17" dstip="69.125.151.253" proto="1" length="138" tos="0x00" prec="0x00" ttl="52" type="3" code="1"
2007:11:02-14:48:19 (none) ulogd[2514]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" dstmac="**mac address removed**" srcmac="="**mac address removed**" " srcip="90.201.89.17" dstip="69.125.151.253" proto="1" length="140" tos="0x00" prec="0x00" ttl="52" type="3" code="1"
2007:11:02-14:51:28 (none) ulogd[2514]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="eth1" dstmac="="**mac address removed**" " srcmac="**mac address removed**" srcip="90.201.89.17" dstip="69.125.151.253" proto="1" length="138" tos="0x00" prec="0x00" ttl="52" type="3" code="1"
Any thoughts on stopping this run away message would be [FONT="Arial Black"]greatly[/FONT] appreciated!!!!
Here is a sample email message (received at 17:11) I keep getting from my A220:
The following events were recorded in the intrusion log file.
Note that these events do not necessarily indicate an attempted intrusion and can be caused by a number of network applications. You should review the log to determine if any actions are required.
Nov 2 14:18:56 firewall /kernel: ipfw: 3363 Deny ICMP:8.0 216.226.243.44 192.168.5.19 in via dc0 Nov 2 14:18:59 firewall /kernel: ipfw: 3363 Deny ICMP:8.0 216.226.243.44 192.168.5.19 in via dc0
This thread was automatically locked due to age.
