This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Protection Alert

I received the following message from our ASG220;

---------- Snip ------------

Intrusion Protection Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: BACKDOOR fkwp 2.0 runtime detection - connection success
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=6033
Time...........: 2008:03:06-14:05:31
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: A Network Trojan was detected IP protocol....: 6 (TCP)

Source IP address: 192.168.1.1 (firewall.polese.com)
- http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.1.1
- http://www.ripe.net/perl/whois?query=192.168.1.1
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=192.168.1.1
- http://cgi.apnic.net/apnic-bin/whois.pl?search=192.168.1.1
Source port: 8110
Destination IP address: 192.168.1.176
- http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.1.176
- http://www.ripe.net/perl/whois?query=192.168.1.176
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=192.168.1.176
- http://cgi.apnic.net/apnic-bin/whois.pl?search=192.168.1.176
Destination port: 51824

---------- Snip ------------

It seems odd to me that the “Source IP address” is the firewall itself, does this make sense to any of you?

- Hamilton

This thread was automatically locked due to age.

Parents

0 BrucekConvergent over 17 years ago

It's likely to be a false positive... I'd check over the client computer carefully to be sure.
Cancel
Vote Up 0 Vote Down

Cancel
0 Hamilton over 17 years ago in reply to BrucekConvergent

Thanks, I will, but why does the source IP address show as the firewall, I would think if the workstation were compromised it would be the source IP address.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 17 years ago in reply to Hamilton

Again, probably the nature of the rule and the traffic that triggered it... Given that the Snort rule info for this rule indicates that the trojan in question is a WIN32 program, and the Astaro is a Linux system, would have me looking at the other node in the alert, not the Astaro, to see if this trojan was installed. Chances are it's a false positive, but you need to check the PC to be sure.
Cancel
Vote Up 0 Vote Down

Cancel
0 Hamilton over 17 years ago in reply to BrucekConvergent

Thanks again Bruce,

I have checked the client machine and found nothing; it is just curious to me that the alert shows the firewall as the source of the bad packet.

The client is a new HP Notebook with Vista Business on it, so my guess is it is some piece of cr*pware they put on the machine.
Cancel
Vote Up 0 Vote Down

Cancel
0 jkmichael over 17 years ago in reply to Hamilton

Do you have any Full NATs defined? That's one possible reason the ASG's inside IP could appear as the "source" of a packet even if it originated from an outside host.
Cancel
Vote Up 0 Vote Down

Cancel
0 Hamilton over 17 years ago in reply to jkmichael

I don’t understand what you mean by “Full NATs” we do use masquerading for our internal network, is this what you mean?
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 17 years ago in reply to Hamilton

I'd guess that traffic coming through the proxies might have the firewall IP also.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 17 years ago in reply to Hamilton

I'd guess that traffic coming through the proxies might have the firewall IP also.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data