[Wolves] smoothwall advice please

Andy Wootton andy.wootton at wyrley.demon.co.uk
Tue Jun 7 21:43:20 BST 2005


kev adams wrote:

>Hi
>
>Can anyone give me any advice regarding this excerpt from my smoothwall IDS 
>log please?
>
>I've got a fairly common set up : ADSL router - smoothwall - switch to LAN
>
>-------------------------------------------
>Date: 06/07 16:14:05
>Name: ICMP PING NMAP
>Priority: 2
>Type: Attempted Information Leak
>IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
>Refs: http://www.whitehats.com/info/IDS162,
>
>Date: 06/07 16:18:43
>Name: ICMP PING NMAP
>Priority: 2
>Type: Attempted Information Leak
>IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
>Refs: http://www.whitehats.com/info/IDS162,
>
>Date: 06/07 16:31:22
>Name: ICMP PING NMAP
>Priority: 2
>Type: Attempted Information Leak
>IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
>Refs: http://www.whitehats.com/info/IDS162,
>
>Date: 06/07 16:31:30
>Name: ICMP PING NMAP
>Priority: 2
>Type: Attempted Information Leak
>IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
>Refs: http://www.whitehats.com/info/IDS162,
>
>Date: 06/07 19:53:49
>Name: (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
>Priority: n/a
>Type: n/a
>IP Info: 10.0.0.5:33214 -> 67.15.2.10:80
>Refs: 
>
>Date: 06/07 20:06:14
>Name: (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
>Priority: n/a
>Type: n/a
>IP Info: 10.0.0.5:33259 -> 67.15.2.10:80
>Refs: 
>--------------------------------------------------
>  
>
Someone else may know better but until they reply -

This could be someone attempting an exploit by a buffer overflow attack. 
I'd guess they haven't got through yet. I would remove the cable from 
Smoothwall to your switch until you are sure if you have another safe 
route to do your research. NMAP is a port scanner so it looks very 
dodgy. I'd be Googling for http buffer-overflow/ill-formed packets 
exploits and checking for patches. The attacking machines could have 
been exploited so it might be worth tring to find out where they are in 
case you can report it. I think Smoothwall uses the Snort Intrusion 
Detection System so you might be able to find other sources of information.

Woo



More information about the Wolves mailing list