5 Replies Latest reply: Feb 3, 2013 9:58 PM by tomcross RSS

    Packet Filter rules not taking affect

    tomcross

      Hi

      We have a SG 565, with a Ethernet over copper internet connection.

      this feeds to a C class ip range visible over the internet.

      It is not Nated.

      The person that set it up and looked after the security of the network has now passed away.

       

      After doing a bit of reading, it seems that the way the security was handled is not best practice.

      From what I have read, there should be rules for the ports you want to allow to come in and block everything else with a drop all at the end of the rules.

       

      The only rules in the Packet Filtering > Packet Filter Rules tab were the default rules.

      Drop Windows Networking     Active

      Drop RFC1918 Incoming     Not Active

      Drop RFC1918 Outgoing     Not Active

       

      The rules in the Packet Filtering > Custom Firewall Rules tab > Custom Firewall rules are instead of built in rules NOT Ticked     Has around 270 rows of rules

      Starting with the following between the ==============

      ================================================================================ ==========

      cp /etc/0 /proc/sys/net/ipv4/conf/eth0/proxy_arp

      cp /etc/0 /proc/sys/net/ipv4/conf/eth1/proxy_arp

      cp /etc/1 /proc/sys/net/ipv4/ip_forward

      sysctl -w net.ipv4.route.max_size=8192

      iptables -F

      iptables -N LOGDROP

      iptables -A LOGDROP -j LOG

      iptables -A LOGDROP -j DROP

      iptables -N LOGREJ

      iptables -A LOGREJ -j LOG

      iptables -A LOGREJ -p tcp -j REJECT --reject-with tcp-reset

      iptables -A LOGREJ -j REJECT --reject-with icmp-port-unreachable

      iptables -N REJ

      iptables -A REJ -p tcp -j REJECT --reject-with tcp-reset

      iptables -A REJ -p udp -j REJECT --reject-with icmp-port-unreachable

      iptables -t nat -F

      iptables -t mangle -F

      iptables -P INPUT ACCEPT

      #    10%

      ================================================================================ ==========

      Further down there is a 25% a 50% and a 75%

      OK I say see if we can tidy this up, since we are getting hammered by Chinese IP's trying to hack our servers, doing dictionary attacks.

      So in the Packet filter rules I go through and add all the ports we need coming in and activate them. Also add the Drop all at the end.

      No difference, which is what I thought would happen, since the other rules are still in operation.

      I now delete all the custom firewall rules, after backing up.

       

      That blocked them allright, we could not get anything from external, no web no mail.

      Copied Custom firewall rules back, all OK.

      Next, deleted all after the 10%.

      Same result.

      Copied Custom firewall rules back, all OK.

      Next, found 2 more iptables -P INPUT commands

      first lines after 50%

      iptables -P OUTPUT ACCEPT

      iptables -P FORWARD ACCEPT

      copied those under the INPUT ACCEPT,

      above the 10%

      Deleted all after the 10%, updated.

      We now had web, mail. so that part worked.

      BUT none of the rules in the first tab (Packet filter rules) seem to be working.

      We are still getting hammered.

      I set  up a couple of tests.

      Dropping 3389 to a server, ticked the check box, restarted the router, I could still come into that server on 3389.

      Copied all Custom firewall rule back.

      Any ideas please,

        • 1. Re: Packet Filter rules not taking affect

          the custom rules look identical to the inbuilt rules run by default. I would suggest he has copied them at some stage.

           

          I suggest you dont use custom rules and instead use the GUI

           

          since you are not in a NATted enviroment, you simply need to create packet filter rules of type = forward to allow the services you require.

           

          when you say you are getting 'hammed'...what exactly does this mean. ?

          does it mean the firewall is performing its job and successfully blocking probes/attacks ( and perhaps logging this ), or does it mean your internal servers are under excessive load due to packets coming in via the firewall ?

          • 2. Re: Packet Filter rules not taking affect
            tomcross

            Hi

            I tried just using the GUI and the rules I put in do not take block any traffic.

            Also activated Snort and IPS.

            The logs are not telling me the attacks are being blocked.

            Copy of logs. I have subed aaa.bbb.ccc for our IP.

            ================================================================================ ===============================

            View Local System Log

             

            Go to end of Log

             

            Feb  2 16:55:24 snort: (20130202T165524405) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.241:1434

            Feb  2 16:55:24 snort: (20130202T165524408) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.241:1434

            Feb  2 16:55:24 snort: (20130202T165524410) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.241:1434

            Feb  2 16:59:57 snort: (20130202T165957295) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 199.187.122.91:42847 -> aaa.bbb.ccc.239:80

            Feb  2 17:00:34 snort: (20130202T170034625) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 66.249.74.51:39636 -> aaa.bbb.ccc.239:80

            Feb  2 17:01:16 snort: (20130202T170116339) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 199.30.20.36:3026 -> aaa.bbb.ccc.239:80

            Feb  2 17:03:40 snort: (20130202T170340310) [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} aaa.bbb.ccc.237:2495 -> 203.63.5.148:80

            Feb  2 17:04:13 snort: (20130202T170413384) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 114.39.198.61:3629 -> aaa.bbb.ccc.235:1434

            Feb  2 17:04:13 snort: (20130202T170413386) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 114.39.198.61:3629 -> aaa.bbb.ccc.235:1434

            Feb  2 17:04:13 snort: (20130202T170413387) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 114.39.198.61:3629 -> aaa.bbb.ccc.235:1434

            Feb  2 17:04:39 snort: (20130202T170439236) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.14:1434

            Feb  2 17:04:39 snort: (20130202T170439280) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.14:1434

            Feb  2 17:04:39 snort: (20130202T170439281) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.14:1434

            Feb  2 17:05:58 snort: (20130202T170558695) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.56.229.87:48706 -> aaa.bbb.ccc.239:80

            Feb  2 17:09:49 snort: (20130202T170949043) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 66.249.74.157:61560 -> aaa.bbb.ccc.239:80

            Feb  2 17:12:40 snort: (20130202T171240343) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.33.112:24792 -> aaa.bbb.ccc.241:80

            Feb  2 17:13:53 snort: (20130202T171353899) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.43:1434

            Feb  2 17:13:53 snort: (20130202T171353920) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.43:1434

            Feb  2 17:13:53 snort: (20130202T171353920) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.43:1434

            Feb  2 17:15:29 snort: (20130202T171529642) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 60.2.247.237:1741 -> aaa.bbb.ccc.215:3389

            Feb  2 17:15:30 snort: (20130202T171530243) [1:2418:4] MISC MS Terminal Server no encryption session initiation attempt [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 60.2.247.237:1741 -> aaa.bbb.ccc.215:3389

            Feb  2 17:16:10 snort: (20130202T171610526) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 69.46.28.54:46340 -> aaa.bbb.ccc.241:80

            Feb  2 17:16:20 snort: (20130202T171620020) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 118.69.199.175:63947 -> aaa.bbb.ccc.215:3389

            Feb  2 17:18:12 last message repeated 1 time(s)

            Feb  2 17:18:12 snort: (20130202T171812575) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.56.93.207:40657 -> aaa.bbb.ccc.239:80

            Feb  2 17:19:32 snort: (20130202T171932133) [1:2182:8] BACKDOOR typot trojan traffic [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 180.146.120.242:36598 -> aaa.bbb.ccc.34:6280

            Feb  2 17:21:55 snort: (20130202T172155900) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.33.112:31246 -> aaa.bbb.ccc.239:80

            Feb  2 17:23:08 snort: (20130202T172308626) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.72:1434

            Feb  2 17:23:08 snort: (20130202T172308647) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.72:1434

            Feb  2 17:23:08 snort: (20130202T172308648) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.72:1434

            Feb  2 17:23:16 snort: (20130202T172316200) [1:882:5] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 120.151.207.179:1898 -> aaa.bbb.ccc.237:80

            Feb  2 17:23:57 snort: (20130202T172357701) [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5! {TCP} 50.112.59.10:0 -> aaa.bbb.ccc.0:0

            Feb  2 17:26:55 snort: (20130202T172655446) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 217.238.97.96:52933 -> aaa.bbb.ccc.239:80

            Feb  2 17:27:46 snort: (20130202T172746377) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 46.165.197.142:39401 -> aaa.bbb.ccc.239:80

            Feb  2 17:28:41 snort: (20130202T172841404) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 87.106.28.40:45648 -> aaa.bbb.ccc.241:80

            Feb  2 17:31:22 snort: (20130202T173122879) [1:882:5] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 120.151.207.179:2016 -> aaa.bbb.ccc.237:80

            Feb  2 17:32:26 snort: (20130202T173226920) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.101:1434

            Feb  2 17:32:26 snort: (20130202T173226940) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.101:1434

            Feb  2 17:32:26 snort: (20130202T173226941) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.101:1434

            Feb  2 17:32:54 snort: (20130202T173254009) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 207.241.226.101:45785 -> aaa.bbb.ccc.239:80

            Feb  2 17:32:54 snort: (20130202T173254134) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 207.241.226.106:38876 -> aaa.bbb.ccc.239:80

            Feb  2 17:36:04 snort: (20130202T173604047) [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} 202.44.185.225:54159 -> aaa.bbb.ccc.237:80

            Feb  2 17:36:07 snort: (20130202T173607381) [1:1333:6] WEB-ATTACKS id command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 202.44.185.225:54160 -> aaa.bbb.ccc.237:80

            Feb  2 17:36:50 snort: (20130202T173650778) [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY {TCP} 120.151.207.179:2059 -> aaa.bbb.ccc.237:80

            Feb  2 17:37:28 snort: (20130202T173728284) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 65.55.52.92:25567 -> aaa.bbb.ccc.239:80

            Feb  2 17:38:11 snort: (20130202T173811158) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 208.115.113.86:50331 -> aaa.bbb.ccc.239:80

            Feb  2 17:41:41 snort: (20130202T174141746) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.130:1434

            Feb  2 17:41:41 snort: (20130202T174141766) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.130:1434

            Feb  2 17:41:41 snort: (20130202T174141768) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.130:1434

            Feb  2 17:41:44 snort: (20130202T174144464) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.32.149:32542 -> aaa.bbb.ccc.239:80

            Feb  2 17:42:06 snort: (20130202T174206613) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 111.74.239.61:1771 -> aaa.bbb.ccc.215:3389

            Feb  2 17:42:07 snort: (20130202T174207098) [1:2418:4] MISC MS Terminal Server no encryption session initiation attempt [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 111.74.239.61:1771 -> aaa.bbb.ccc.215:3389

            Feb  2 17:42:51 snort: (20130202T174251114) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 88.112.51.30:62194 -> aaa.bbb.ccc.239:80

            Feb  2 17:47:40 snort: (20130202T174740845) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.32.141:43235 -> aaa.bbb.ccc.239:80

            Feb  2 17:48:24 snort: (20130202T174824931) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 118.69.199.183:61084 -> aaa.bbb.ccc.215:3389

            Feb  2 17:49:43 last message repeated 1 time(s)

            Feb  2 17:49:43 snort: (20130202T174943868) [1:1560:6] WEB-MISC /doc/ access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 180.76.5.180:15306 -> aaa.bbb.ccc.239:80

            Feb  2 17:50:56 snort: (20130202T175056623) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.159:1434

            Feb  2 17:50:56 snort: (20130202T175056643) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.159:1434

            Feb  2 17:50:56 snort: (20130202T175056645) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.159:1434

            Feb  2 17:53:29 snort: (20130202T175329955) [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} 202.44.185.225:54219 -> aaa.bbb.ccc.237:80

            Feb  2 17:53:37 snort: (20130202T175337128) [1:1333:6] WEB-ATTACKS id command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 202.44.185.225:54221 -> aaa.bbb.ccc.237:80

            Feb  2 17:54:45 snort: (20130202T175445463) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 5.9.125.26:54908 -> aaa.bbb.ccc.239:80

            Feb  2 17:56:30 snort: (20130202T175630423) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 5.9.36.119:37790 -> aaa.bbb.ccc.239:80

            Feb  2 17:58:25 snort: (20130202T175825237) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 24.121.213.135:1892 -> aaa.bbb.ccc.237:1434

            Feb  2 17:58:25 snort: (20130202T175825258) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 24.121.213.135:1892 -> aaa.bbb.ccc.237:1434

            Feb  2 17:58:25 snort: (20130202T175825259) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 24.121.213.135:1892 -> aaa.bbb.ccc.237:1434

            Feb  2 18:00:53 snort: (20130202T180053626) [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} 202.44.185.225:54257 -> aaa.bbb.ccc.237:80

            Feb  2 18:00:56 snort: (20130202T180056754) [1:1333:6] WEB-ATTACKS id command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 202.44.185.225:54258 -> aaa.bbb.ccc.237:80

            Feb  2 18:02:54 snort: (20130202T180254549) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.32.184:27975 -> aaa.bbb.ccc.239:80

            Feb  2 18:02:56 snort: (20130202T180256442) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 61.185.238.233:4365 -> aaa.bbb.ccc.36:1434

            Feb  2 18:02:56 snort: (20130202T180256444) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 61.185.238.233:4365 -> aaa.bbb.ccc.36:1434

            Feb  2 18:02:56 snort: (20130202T180256445) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 61.185.238.233:4365 -> aaa.bbb.ccc.36:1434

            Feb  2 18:03:15 snort: (20130202T180315051) [1:2179:6] FTP PASS format string attempt [Classification: Misc Attack] [Priority: 2]: {TCP} 222.186.23.31:1049 -> aaa.bbb.ccc.239:21

            Feb  2 18:03:15 snort: (20130202T180315053) [1:2417:1] FTP format string attempt [Classification: A suspicious string was detected] [Priority: 3]: {TCP} 222.186.23.31:1049 -> aaa.bbb.ccc.239:21

            Feb  2 18:07:08 snort: (20130202T180708440) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 66.249.74.123:36753 -> aaa.bbb.ccc.239:80

            Feb  2 18:08:32 snort: (20130202T180832344) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 60.2.247.237:1742 -> aaa.bbb.ccc.215:3389

            Feb  2 18:08:32 snort: (20130202T180832885) [1:2418:4] MISC MS Terminal Server no encryption session initiation attempt [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 60.2.247.237:1742 -> aaa.bbb.ccc.215:3389

            Feb  2 18:09:19 snort: (20130202T180919650) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 157.55.32.113:37400 -> aaa.bbb.ccc.237:80

            Feb  2 18:09:26 snort: (20130202T180926188) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.217:1434

            Feb  2 18:09:26 snort: (20130202T180926190) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.217:1434

            Feb  2 18:09:26 snort: (20130202T180926192) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.217:1434

            Feb  2 18:13:40 snort: (20130202T181340192) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 183.60.205.228:3774 -> aaa.bbb.ccc.215:3389

            Feb  2 18:13:40 snort: (20130202T181340694) [1:2418:4] MISC MS Terminal Server no encryption session initiation attempt [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 183.60.205.228:3774 -> aaa.bbb.ccc.215:3389

            Feb  2 18:17:18 snort: (20130202T181718211) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 66.249.74.224:55067 -> aaa.bbb.ccc.239:80

            Feb  2 18:18:02 snort: (20130202T181802386) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 66.249.74.31:37304 -> aaa.bbb.ccc.237:80

            Feb  2 18:18:12 snort: (20130202T181812928) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 71.197.47.174:2330 -> aaa.bbb.ccc.87:1434

            Feb  2 18:18:12 snort: (20130202T181812948) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 71.197.47.174:2330 -> aaa.bbb.ccc.87:1434

            Feb  2 18:18:12 snort: (20130202T181812950) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 71.197.47.174:2330 -> aaa.bbb.ccc.87:1434

            Feb  2 18:18:35 snort: (20130202T181835681) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 100.43.83.147:62145 -> aaa.bbb.ccc.239:80

            Feb  2 18:18:40 snort: (20130202T181840915) [1:2003:8] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.246:1434

            Feb  2 18:18:40 snort: (20130202T181840917) [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [Classification: Misc Attack] [Priority: 2]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.246:1434

            Feb  2 18:18:40 snort: (20130202T181840918) [1:2050:7] MS-SQL version overflow attempt [Classification: Misc activity] [Priority: 3]: {UDP} 202.113.68.250:3908 -> aaa.bbb.ccc.246:1434

            Feb  2 18:21:26 snort: (20130202T182126494) [1:1448:12] MISC MS Terminal server request [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 66.208.211.174:3674 -> aaa.bbb.ccc.215:3389

            Feb  2 18:21:26 snort: (20130202T182126749) [1:2418:4] MISC MS Terminal Server no encryption session initiation attempt [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 66.208.211.174:3674 -> aaa.bbb.ccc.215:3389

            Feb  2 18:22:16 snort: (20130202T182216246) [1:1201:7] ATTACK-RESPONSES 403 Forbidden [Classification: Attempted Information Leak] [Priority: 2]: {TCP} aaa.bbb.ccc.239:80 -> 173.199.116.59:46031

            Feb  2 18:22:59 snort: (20130202T182259116) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 124.115.6.13:55172 -> aaa.bbb.ccc.237:80

            Feb  2 18:23:51 snort: (20130202T182351948) [1:1852:3] WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 178.255.215.74:48418 -> aaa.bbb.ccc.239:80

            ================================================================================ ===============================

            Here is sample of log from Server logs. from web server.

            ================================================================================ ===============================

            16/01/2013    21:20:34    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:34    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:35    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:36    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:37    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:37    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:38    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:39    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:40    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:41    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:41    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:42    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:43    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:44    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:44    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:45    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:46    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:47    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:47    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:48    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            16/01/2013    21:20:49    MSSQLSERVER    Failure Audit    -4    18456    N/A    MAHLGUN    Login failed for user 'sa'.     61.147.103.140

            ================================================================================ ===============================

             

            Over 36 hrs there was over 80,000 similar entries.

            Hope that explains things a bit better

            Hope you can help.

            • 3. Re: Packet Filter rules not taking affect

              These logs tell you attacks are being detected although it does appear you have open up a port for your web server, which is failing logins from the web server logs

               

              Unless you have these ports open, these attacks will be blocked.

               

              if they are open, IPS can optionally block the sender IP if desired.

               

              Can I assist further ?

              • 4. Re: Packet Filter rules not taking affect
                tomcross

                Hi

                This is the thing I cannot seem to get the IPS to block the offending IP's or get the GUI rules I have set to work.

                 

                Are you willing to log onto the router and have a look?

                 

                I can send you details off list??

                 

                If I had another SG 565 I could try a few more things.