[Wolves] smoothwall advice please
Andy Wootton
andy.wootton at wyrley.demon.co.uk
Tue Jun 7 21:43:20 BST 2005
kev adams wrote:
>Hi
>
>Can anyone give me any advice regarding this excerpt from my smoothwall IDS
>log please?
>
>I've got a fairly common set up : ADSL router - smoothwall - switch to LAN
>
>-------------------------------------------
>Date: 06/07 16:14:05
>Name: ICMP PING NMAP
>Priority: 2
>Type: Attempted Information Leak
>IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
>Refs: http://www.whitehats.com/info/IDS162,
>
>Date: 06/07 16:18:43
>Name: ICMP PING NMAP
>Priority: 2
>Type: Attempted Information Leak
>IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
>Refs: http://www.whitehats.com/info/IDS162,
>
>Date: 06/07 16:31:22
>Name: ICMP PING NMAP
>Priority: 2
>Type: Attempted Information Leak
>IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
>Refs: http://www.whitehats.com/info/IDS162,
>
>Date: 06/07 16:31:30
>Name: ICMP PING NMAP
>Priority: 2
>Type: Attempted Information Leak
>IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
>Refs: http://www.whitehats.com/info/IDS162,
>
>Date: 06/07 19:53:49
>Name: (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
>Priority: n/a
>Type: n/a
>IP Info: 10.0.0.5:33214 -> 67.15.2.10:80
>Refs:
>
>Date: 06/07 20:06:14
>Name: (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
>Priority: n/a
>Type: n/a
>IP Info: 10.0.0.5:33259 -> 67.15.2.10:80
>Refs:
>--------------------------------------------------
>
>
Someone else may know better but until they reply -
This could be someone attempting an exploit by a buffer overflow attack.
I'd guess they haven't got through yet. I would remove the cable from
Smoothwall to your switch until you are sure if you have another safe
route to do your research. NMAP is a port scanner so it looks very
dodgy. I'd be Googling for http buffer-overflow/ill-formed packets
exploits and checking for patches. The attacking machines could have
been exploited so it might be worth tring to find out where they are in
case you can report it. I think Smoothwall uses the Snort Intrusion
Detection System so you might be able to find other sources of information.
Woo
More information about the Wolves
mailing list