This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

One ip One Destination One Spesific Port; There is some huge traffic.

Hi, today I saw one of our users 192.168.3.29 has done ~900MB traffic to 193.140.100.220 which seems to belong uludag.org.tr. The problem is it is the traffic is on 43825 and 44861 ports which SHOULD BE DROPPED [:O]

I attach some screenshots.

I looked to todays PackageFilter Log file: there is no 192.168.3.29 or 193.140.100.220 in the logs. Not a single line.

I have webproxy enabled. IM/P2P control disabled. So how should this port and these IPs bypass the package filter? Where should I check?

This thread was automatically locked due to age.

0 BAlfson over 14 years ago

I wonder if those aren't someone downloading from that internal user. Do you have a rule allowing that? Are you certain that user doesn't have a Trojan?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 rahman over 14 years ago in reply to BAlfson

I wonder if those aren't someone downloading from that internal user. Do you have a rule allowing that? Are you certain that user doesn't have a Trojan?

Cheers - Bob

No, I looked PF rules over and over again. local users only allowed:

LAN-> http:https:ftp:msn[:D]ns:smtp:etc -> Any

only basic internet protocols are allowed. And please attention; all PF rules are set to log their traffic. Even the log settings, todays PF log file has no record for the lan ip, remote ip and the 4***x ports. Realy wierd.

The traffic reached 2.5GB and new ports are appeared, I realy wonder what is he uploading [:)]

For about trojan; how can it be possible that some malware bypasses the firewall?
Cancel
Vote Up 0 Vote Down

Cancel
0 rahman over 14 years ago

I just want to clarify something. There are 192.168.3.29 client logs in PF logs, this is not a ghost ip [:)] . But no log for the spesific traffic: 192.168.3.29 -> 4***xx port -> uludag.org.tr.
Cancel
Vote Up 0 Vote Down

Cancel