cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 6

Packet Filter rules not taking affect

Hi

We have a SG 565, with a Ethernet over copper internet connection.

this feeds to a C class ip range visible over the internet.

It is not Nated.

The person that set it up and looked after the security of the network has now passed away.

After doing a bit of reading, it seems that the way the security was handled is not best practice.

From what I have read, there should be rules for the ports you want to allow to come in and block everything else with a drop all at the end of the rules.

The only rules in the Packet Filtering > Packet Filter Rules tab were the default rules.

Drop Windows Networking     Active

Drop RFC1918 Incoming     Not Active

Drop RFC1918 Outgoing     Not Active

The rules in the Packet Filtering > Custom Firewall Rules tab > Custom Firewall rules are instead of built in rules NOT Ticked     Has around 270 rows of rules

Starting with the following between the ==============

==========================================================================================

cp /etc/0 /proc/sys/net/ipv4/conf/eth0/proxy_arp

cp /etc/0 /proc/sys/net/ipv4/conf/eth1/proxy_arp

cp /etc/1 /proc/sys/net/ipv4/ip_forward

sysctl -w net.ipv4.route.max_size=8192

iptables -F

iptables -N LOGDROP

iptables -A LOGDROP -j LOG

iptables -A LOGDROP -j DROP

iptables -N LOGREJ

iptables -A LOGREJ -j LOG

iptables -A LOGREJ -p tcp -j REJECT --reject-with tcp-reset

iptables -A LOGREJ -j REJECT --reject-with icmp-port-unreachable

iptables -N REJ

iptables -A REJ -p tcp -j REJECT --reject-with tcp-reset

iptables -A REJ -p udp -j REJECT --reject-with icmp-port-unreachable

iptables -t nat -F

iptables -t mangle -F

iptables -P INPUT ACCEPT

#    10%

==========================================================================================

Further down there is a 25% a 50% and a 75%

OK I say see if we can tidy this up, since we are getting hammered by Chinese IP's trying to hack our servers, doing dictionary attacks.

So in the Packet filter rules I go through and add all the ports we need coming in and activate them. Also add the Drop all at the end.

No difference, which is what I thought would happen, since the other rules are still in operation.

I now delete all the custom firewall rules, after backing up.

That blocked them allright, we could not get anything from external, no web no mail.

Copied Custom firewall rules back, all OK.

Next, deleted all after the 10%.

Same result.

Copied Custom firewall rules back, all OK.

Next, found 2 more iptables -P INPUT commands

first lines after 50%

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

copied those under the INPUT ACCEPT,

above the 10%

Deleted all after the 10%, updated.

We now had web, mail. so that part worked.

BUT none of the rules in the first tab (Packet filter rules) seem to be working.

We are still getting hammered.

I set  up a couple of tests.

Dropping 3389 to a server, ticked the check box, restarted the router, I could still come into that server on 3389.

Copied all Custom firewall rule back.

Any ideas please,

5 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 6

Re: Packet Filter rules not taking affect

the custom rules look identical to the inbuilt rules run by default. I would suggest he has copied them at some stage.

I suggest you dont use custom rules and instead use the GUI

since you are not in a NATted enviroment, you simply need to create packet filter rules of type = forward to allow the services you require.

when you say you are getting 'hammed'...what exactly does this mean. ?

does it mean the firewall is performing its job and successfully blocking probes/attacks ( and perhaps logging this ), or does it mean your internal servers are under excessive load due to packets coming in via the firewall ?

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 6

Re: Packet Filter rules not taking affect

Hi

I tried just using the GUI and the rules I put in do not take block any traffic.

Also activated Snort and IPS.

The logs are not telling me the attacks are being blocked.

Copy of logs. I have subed aaa.bbb.ccc for our IP.

===============================================================================================================

View Local System Log

Go to end of Log

Feb  2 16:55:24 snort: (20130202T165524405) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.241:1434

Feb  2 16:55:24 snort: (20130202T165524408) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.241:1434

Feb  2 16:55:24 snort: (20130202T165524410) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.241:1434

Feb  2 16:59:57 snort: (20130202T165957295) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 199.187.122.91:42847 -> aaa.bbb.ccc.239:80

Feb  2 17:00:34 snort: (20130202T170034625) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 66.249.74.51:39636 -> aaa.bbb.ccc.239:80

Feb  2 17:01:16 snort: (20130202T170116339) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 199.30.20.36:3026 -> aaa.bbb.ccc.239:80

Feb  2 17:03:40 snort: (20130202T170340310) [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} aaa.bbb.ccc.237:2495 -> 203.63.5.148:80

Feb  2 17:04:13 snort: (20130202T170413384) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 114.39.198.61:3629 -> aaa.bbb.ccc.235:1434

Feb  2 17:04:13 snort: (20130202T170413386) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 114.39.198.61:3629 -> aaa.bbb.ccc.235:1434

Feb  2 17:04:13 snort: (20130202T170413387) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 114.39.198.61:3629 -> aaa.bbb.ccc.235:1434

Feb  2 17:04:39 snort: (20130202T170439236) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.14:1434

Feb  2 17:04:39 snort: (20130202T170439280) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.14:1434

Feb  2 17:04:39 snort: (20130202T170439281) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.14:1434

Feb  2 17:05:58 snort: (20130202T170558695) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.56.229.87:48706 -> aaa.bbb.ccc.239:80

Feb  2 17:09:49 snort: (20130202T170949043) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 66.249.74.157:61560 -> aaa.bbb.ccc.239:80

Feb  2 17:12:40 snort: (20130202T171240343) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.33.112:24792 -> aaa.bbb.ccc.241:80

Feb  2 17:13:53 snort: (20130202T171353899) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.43:1434

Feb  2 17:13:53 snort: (20130202T171353920) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.43:1434

Feb  2 17:13:53 snort: (20130202T171353920) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.43:1434

Feb  2 17:15:29 snort: (20130202T171529642) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 60.2.247.237:1741 -> aaa.bbb.ccc.215:3389

Feb  2 17:15:30 snort: (20130202T171530243) [1:2418:4] MISC MS Terminal Server no encryption session initiation attempt [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 60.2.247.237:1741 -> aaa.bbb.ccc.215:3389

Feb  2 17:16:10 snort: (20130202T171610526) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 69.46.28.54:46340 -> aaa.bbb.ccc.241:80

Feb  2 17:16:20 snort: (20130202T171620020) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 118.69.199.175:63947 -> aaa.bbb.ccc.215:3389

Feb  2 17:18:12 last message repeated 1 time(s)

Feb  2 17:18:12 snort: (20130202T171812575) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.56.93.207:40657 -> aaa.bbb.ccc.239:80

Feb  2 17:19:32 snort: (20130202T171932133) [1:2182:8] BACKDOOR typot trojan traffic [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 180.146.120.242:36598 -> aaa.bbb.ccc.34:6280

Feb  2 17:21:55 snort: (20130202T172155900) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.33.112:31246 -> aaa.bbb.ccc.239:80

Feb  2 17:23:08 snort: (20130202T172308626) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.72:1434

Feb  2 17:23:08 snort: (20130202T172308647) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.72:1434

Feb  2 17:23:08 snort: (20130202T172308648) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.72:1434

Feb  2 17:23:16 snort: (20130202T172316200) [1:882:5] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 120.151.207.179:1898 -> aaa.bbb.ccc.237:80

Feb  2 17:23:57 snort: (20130202T172357701) [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5! {TCP} 50.112.59.10:0 -> aaa.bbb.ccc.0:0

Feb  2 17:26:55 snort: (20130202T172655446) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 217.238.97.96:52933 -> aaa.bbb.ccc.239:80

Feb  2 17:27:46 snort: (20130202T172746377) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 46.165.197.142:39401 -> aaa.bbb.ccc.239:80

Feb  2 17:28:41 snort: (20130202T172841404) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 87.106.28.40:45648 -> aaa.bbb.ccc.241:80

Feb  2 17:31:22 snort: (20130202T173122879) [1:882:5] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 120.151.207.179:2016 -> aaa.bbb.ccc.237:80

Feb  2 17:32:26 snort: (20130202T173226920) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.101:1434

Feb  2 17:32:26 snort: (20130202T173226940) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.101:1434

Feb  2 17:32:26 snort: (20130202T173226941) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.101:1434

Feb  2 17:32:54 snort: (20130202T173254009) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 207.241.226.101:45785 -> aaa.bbb.ccc.239:80

Feb  2 17:32:54 snort: (20130202T173254134) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 207.241.226.106:38876 -> aaa.bbb.ccc.239:80

Feb  2 17:36:04 snort: (20130202T173604047) [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} 202.44.185.225:54159 -> aaa.bbb.ccc.237:80

Feb  2 17:36:07 snort: (20130202T173607381) [1:1333:6] WEB-ATTACKS id command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 202.44.185.225:54160 -> aaa.bbb.ccc.237:80

Feb  2 17:36:50 snort: (20130202T173650778) [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY {TCP} 120.151.207.179:2059 -> aaa.bbb.ccc.237:80

Feb  2 17:37:28 snort: (20130202T173728284) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 65.55.52.92:25567 -> aaa.bbb.ccc.239:80

Feb  2 17:38:11 snort: (20130202T173811158) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 208.115.113.86:50331 -> aaa.bbb.ccc.239:80

Feb  2 17:41:41 snort: (20130202T174141746) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.130:1434

Feb  2 17:41:41 snort: (20130202T174141766) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.130:1434

Feb  2 17:41:41 snort: (20130202T174141768) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.130:1434

Feb  2 17:41:44 snort: (20130202T174144464) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.32.149:32542 -> aaa.bbb.ccc.239:80

Feb  2 17:42:06 snort: (20130202T174206613) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 111.74.239.61:1771 -> aaa.bbb.ccc.215:3389

Feb  2 17:42:07 snort: (20130202T174207098) [1:2418:4] MISC MS Terminal Server no encryption session initiation attempt [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 111.74.239.61:1771 -> aaa.bbb.ccc.215:3389

Feb  2 17:42:51 snort: (20130202T174251114) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 88.112.51.30:62194 -> aaa.bbb.ccc.239:80

Feb  2 17:47:40 snort: (20130202T174740845) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.32.141:43235 -> aaa.bbb.ccc.239:80

Feb  2 17:48:24 snort: (20130202T174824931) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 118.69.199.183:61084 -> aaa.bbb.ccc.215:3389

Feb  2 17:49:43 last message repeated 1 time(s)

Feb  2 17:49:43 snort: (20130202T174943868) [1:1560:6] WEB-MISC /doc/ access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 180.76.5.180:15306 -> aaa.bbb.ccc.239:80

Feb  2 17:50:56 snort: (20130202T175056623) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.159:1434

Feb  2 17:50:56 snort: (20130202T175056643) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.159:1434

Feb  2 17:50:56 snort: (20130202T175056645) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.159:1434

Feb  2 17:53:29 snort: (20130202T175329955) [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} 202.44.185.225:54219 -> aaa.bbb.ccc.237:80

Feb  2 17:53:37 snort: (20130202T175337128) [1:1333:6] WEB-ATTACKS id command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 202.44.185.225:54221 -> aaa.bbb.ccc.237:80

Feb  2 17:54:45 snort: (20130202T175445463) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 5.9.125.26:54908 -> aaa.bbb.ccc.239:80

Feb  2 17:56:30 snort: (20130202T175630423) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 5.9.36.119:37790 -> aaa.bbb.ccc.239:80

Feb  2 17:58:25 snort: (20130202T175825237) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 24.121.213.135:1892 -> aaa.bbb.ccc.237:1434

Feb  2 17:58:25 snort: (20130202T175825258) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 24.121.213.135:1892 -> aaa.bbb.ccc.237:1434

Feb  2 17:58:25 snort: (20130202T175825259) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 24.121.213.135:1892 -> aaa.bbb.ccc.237:1434

Feb  2 18:00:53 snort: (20130202T180053626) [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} 202.44.185.225:54257 -> aaa.bbb.ccc.237:80

Feb  2 18:00:56 snort: (20130202T180056754) [1:1333:6] WEB-ATTACKS id command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 202.44.185.225:54258 -> aaa.bbb.ccc.237:80

Feb  2 18:02:54 snort: (20130202T180254549) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.32.184:27975 -> aaa.bbb.ccc.239:80

Feb  2 18:02:56 snort: (20130202T180256442) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 61.185.238.233:4365 -> aaa.bbb.ccc.36:1434

Feb  2 18:02:56 snort: (20130202T180256444) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 61.185.238.233:4365 -> aaa.bbb.ccc.36:1434

Feb  2 18:02:56 snort: (20130202T180256445) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 61.185.238.233:4365 -> aaa.bbb.ccc.36:1434

Feb  2 18:03:15 snort: (20130202T180315051) [1:2179:6] FTP PASS format string attempt [Classification: Misc Attack] [Priority: 2]: {TCP} 222.186.23.31:1049 -> aaa.bbb.ccc.239:21

Feb  2 18:03:15 snort: (20130202T180315053) [1:2417:1] FTP format string attempt [Classification: A suspicious string was detected] [Priority: 3]: {TCP} 222.186.23.31:1049 -> aaa.bbb.ccc.239:21

Feb  2 18:07:08 snort: (20130202T180708440) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 66.249.74.123:36753 -> aaa.bbb.ccc.239:80

Feb  2 18:08:32 snort: (20130202T180832344) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 60.2.247.237:1742 -> aaa.bbb.ccc.215:3389

Feb  2 18:08:32 snort: (20130202T180832885) [1:2418:4] MISC MS Terminal Server no encryption session initiation attempt [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 60.2.247.237:1742 -> aaa.bbb.ccc.215:3389

Feb  2 18:09:19 snort: (20130202T180919650) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.32.113:37400 -> aaa.bbb.ccc.237:80

Feb  2 18:09:26 snort: (20130202T180926188) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.217:1434

Feb  2 18:09:26 snort: (20130202T180926190) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.217:1434

Feb  2 18:09:26 snort: (20130202T180926192) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.217:1434

Feb  2 18:13:40 snort: (20130202T181340192) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 183.60.205.228:3774 -> aaa.bbb.ccc.215:3389

Feb  2 18:13:40 snort: (20130202T181340694) [1:2418:4] MISC MS Terminal Server no encryption session initiation attempt [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 183.60.205.228:3774 -> aaa.bbb.ccc.215:3389

Feb  2 18:17:18 snort: (20130202T181718211) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 66.249.74.224:55067 -> aaa.bbb.ccc.239:80

Feb  2 18:18:02 snort: (20130202T181802386) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 66.249.74.31:37304 -> aaa.bbb.ccc.237:80

Feb  2 18:18:12 snort: (20130202T181812928) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 71.197.47.174:2330 -> aaa.bbb.ccc.87:1434

Feb  2 18:18:12 snort: (20130202T181812948) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 71.197.47.174:2330 -> aaa.bbb.ccc.87:1434

Feb  2 18:18:12 snort: (20130202T181812950) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 71.197.47.174:2330 -> aaa.bbb.ccc.87:1434

Feb  2 18:18:35 snort: (20130202T181835681) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 100.43.83.147:62145 -> aaa.bbb.ccc.239:80

Feb  2 18:18:40 snort: (20130202T181840915) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.246:1434

Feb  2 18:18:40 snort: (20130202T181840917) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.246:1434

Feb  2 18:18:40 snort: (20130202T181840918) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.246:1434

Feb  2 18:21:26 snort: (20130202T182126494) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 66.208.211.174:3674 -> aaa.bbb.ccc.215:3389

Feb  2 18:21:26 snort: (20130202T182126749) [1:2418:4] MISC MS Terminal Server no encryption session initiation attempt [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 66.208.211.174:3674 -> aaa.bbb.ccc.215:3389

Feb  2 18:22:16 snort: (20130202T182216246) [1:1201:7] ATTACK-RESPONSES 403 Forbidden [Classification: Attempted Information Leak] [Priority: 2]: {TCP} aaa.bbb.ccc.239:80 -> 173.199.116.59:46031

Feb  2 18:22:59 snort: (20130202T182259116) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 124.115.6.13:55172 -> aaa.bbb.ccc.237:80

Feb  2 18:23:51 snort: (20130202T182351948) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 178.255.215.74:48418 -> aaa.bbb.ccc.239:80

===============================================================================================================

Here is sample of log from Server logs. from web server.

===============================================================================================================

16/01/2013    21:20:34    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:34    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:35    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:36    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:37    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:37    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:38    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:39    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:40    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:41    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:41    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:42    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:43    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:44    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:44    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:45    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:46    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:47    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:47    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:48    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

16/01/2013    21:20:49    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

===============================================================================================================

Over 36 hrs there was over 80,000 similar entries.

Hope that explains things a bit better

Hope you can help.

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 6

Re: Packet Filter rules not taking affect

These logs tell you attacks are being detected although it does appear you have open up a port for your web server, which is failing logins from the web server logs

Unless you have these ports open, these attacks will be blocked.

if they are open, IPS can optionally block the sender IP if desired.

Can I assist further ?

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 6

Re: Packet Filter rules not taking affect

Hi

This is the thing I cannot seem to get the IPS to block the offending IP's or get the GUI rules I have set to work.

Are you willing to log onto the router and have a look?

I can send you details off list??

If I had another SG 565 I could try a few more things.

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 6

Re: Packet Filter rules not taking affect

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community