Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Strange Alert

To: "Wonder Kid" <[email protected]>, <[email protected]>
Subject: Re: [FW1] Strange Alert
From: "Tim Holman" <[email protected]>
Date: Tue, 17 Apr 2001 17:38:53 +0100
References: <[email protected]>
Sender: [email protected]

I don't think I would suspect an attack with this scenario.
tcp-high-ports are defined as anything over 1023 and allows communication to
originate from higher ports (ie not the well known <1023 ports), which is
useful as some programs need to map processes to ports and would simply run
out of ports if working wih the standard 2-byte port definition field.
You'll note from the x-late fields that the port numbers are high, and well
above the 2-byte (65,536 ports) limit, so you do have some form of RPC at
work here.
What do the IP addresses mentioned in the log actually do ?
Are they servers ?
I'd expect logs like this for Exchange or Citrix servers for example,
although it's a good idea to find out what's going on here purely from the
stance that you should really know about EVERYTHING that goes through your
FW.

Cheers,

Tim






----- Original Message -----
From: Wonder Kid <[email protected]>
To: <[email protected]>
Sent: 16 April 2001 03:45
Subject: [FW1] Strange Alert


>
> Repost the following. Need help, thanks.
>
> ____________________________________
>
>
> I am seeing strange alert message from my firewall
> log. The destination IP was not the internal IP
> address, but somehow firewall had an log entry for it.
> Detail of the entry as below:
>
>
> :
> :
> Type: alert
> Action: accept
> Services: tcp-high-ports
> Sources: 13.10.226.1
> Destination: 194.13.10.250
> Protocol: TCP
> Rule: 2883584
> Source Port: tcp-high-ports
> :
> :
> xlate_src: 0.16.13.10
> xlate_dst: 226.1.194.172
> xlate_sports: 270209280
> xlate_dports: 11335936
> Info: VPN-1 & Firewall-1 module len>
>
> Note the large number of rule (I don't have that many
> number of rules!), len, source port, destination ports
> number. There was also no such NAT rule on the
> firewall to translate into the two addresses.
>
> Could this be a possible attack?
>
> The version of FW1 is 4.1 patch with SP2, running on
> Solaris 2.6.
>
> Please help. Thanks.
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>
>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Strange Alert
  - From: Wonder Kid <[email protected]>

Prev by Date: [FW1] Securemonte 4176 Win2k - Help!!
Next by Date: RE: [FW1] Managing a lot of firewalls
Previous by thread: [FW1] Strange Alert
Next by thread: [FW1] Re: fw-1-mailinglist-digest V1 #2
Index(es):
- Date
- Thread