[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Strange Alert
I don't think I would suspect an attack with this scenario. tcp-high-ports are defined as anything over 1023 and allows communication to originate from higher ports (ie not the well known <1023 ports), which is useful as some programs need to map processes to ports and would simply run out of ports if working wih the standard 2-byte port definition field. You'll note from the x-late fields that the port numbers are high, and well above the 2-byte (65,536 ports) limit, so you do have some form of RPC at work here. What do the IP addresses mentioned in the log actually do ? Are they servers ? I'd expect logs like this for Exchange or Citrix servers for example, although it's a good idea to find out what's going on here purely from the stance that you should really know about EVERYTHING that goes through your FW. Cheers, Tim ----- Original Message ----- From: Wonder Kid <[email protected]> To: <[email protected]> Sent: 16 April 2001 03:45 Subject: [FW1] Strange Alert > > Repost the following. Need help, thanks. > > ____________________________________ > > > I am seeing strange alert message from my firewall > log. The destination IP was not the internal IP > address, but somehow firewall had an log entry for it. > Detail of the entry as below: > > > : > : > Type: alert > Action: accept > Services: tcp-high-ports > Sources: 13.10.226.1 > Destination: 194.13.10.250 > Protocol: TCP > Rule: 2883584 > Source Port: tcp-high-ports > : > : > xlate_src: 0.16.13.10 > xlate_dst: 226.1.194.172 > xlate_sports: 270209280 > xlate_dports: 11335936 > Info: VPN-1 & Firewall-1 module len> > > Note the large number of rule (I don't have that many > number of rules!), len, source port, destination ports > number. There was also no such NAT rule on the > firewall to translate into the two addresses. > > Could this be a possible attack? > > The version of FW1 is 4.1 patch with SP2, running on > Solaris 2.6. > > Please help. Thanks. > > > > > __________________________________________________ > Do You Yahoo!? > Get email at your own domain with Yahoo! Mail. > http://personal.mail.yahoo.com/ > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|