Is snort pretty easy to install and setup? Do I need to be running a firewall?
On Saturday 19 April 2003 2:43 pm, Adam Leach wrote:
Thanks for everyones advice. The attack is still continuing at a rate of around 10 attempts a second. Between around 4pm & 8pm I received just under 65000 attempts just from that one ip address.
SuSE firewall is working well and no degrade in system performance, but some web sites are timing out and it gets a bit annoying
These last couple of days I've been getting a ridiculous number of scans logged by snort running on my Smoothwall firewall. Lots of attempted information leaks via proxy to port 8080 on a block of IP addresses. Going up the ports in numerical order...
SmoothWall IDS snort log Date: 19 April
Date: 04/19 07:50:10 Name: SCAN Proxy (8080) attempt Priority: 2 Type: Attempted Information Leak IP Info: 213.48.100.99:1769 -> 194.117.133.38:8080 Refs:
Date: 04/19 07:50:13 Name: SCAN Proxy (8080) attempt Priority: 2 Type: Attempted Information Leak IP Info: 213.48.100.99:1769 -> 194.117.133.38:8080 Refs:
Date: 04/19 07:50:15 Name: SCAN Proxy (8080) attempt Priority: 2 Type: Attempted Information Leak IP Info: 213.48.100.99:1770 -> 194.117.133.36:8080 Refs:
Date: 04/19 07:50:17 Name: SCAN Proxy (8080) attempt Priority: 2 Type: Attempted Information Leak IP Info: 213.48.100.99:1771 -> 194.117.133.198:8080 Refs:
Date: 04/19 07:50:23 Name: SCAN Proxy (8080) attempt Priority: 2 Type: Attempted Information Leak IP Info: 213.48.100.99:1772 -> 194.117.133.196:8080 Refs:
Date: 04/19 17:54:01 Name: SCAN Proxy (8080) attempt Priority: 2 Type: Attempted Information Leak IP Info: 213.48.100.143:1036 -> 194.117.133.118:8080 Refs:
Date: 04/19 17:54:06 Name: SCAN Proxy (8080) attempt Priority: 2 Type: Attempted Information Leak IP Info: 213.48.100.143:1037 -> 194.117.133.54:8080 Refs:
Date: 04/19 17:54:06 Name: SCAN Proxy (8080) attempt Priority: 2 Type: Attempted Information Leak IP Info: 213.48.100.143:1038 -> 194.117.133.4:8080 Refs:
Date: 04/19 17:54:40 Name: SCAN Proxy (8080) attempt Priority: 2 Type: Attempted Information Leak IP Info: 213.48.100.143:1039 -> 194.117.133.40:8080 Refs:
I'm not quite sure what is happening here, whether someone is trying to bounce requests off my machine to get information from another block of IP addresses looking for something that could be vulnerable. Thinks to self... how's about posting this in one of the Smoothwall forums...
I'll get back later with comments...
Have fun :)
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com