-
SonicWall
I recently installed a SonicWall Soho3 firewall and have noticed in the logs that I am experiencing 10-15 SubSeven attacks a day. They are being dropped by the firewall, however I am still wondering if they are false positives are if they are real attacks.
Any way to find out where they are coming from?
Any info on this issue would be much appreciated. Thanks
-
Sub 7 probes, scans and sniffing are very common, and most of the time it is coming from kiddies running the included port scanner on the client looking for pre-installed servers because they are too lazy to configure and send a server to a victim in the first place. On my firewall, I get at least ten hits a day, and that's just Sub 7 alone...
As for knowing how to trace them back is a little tricky. You will have to see what ISP the probe is coming from and report the offending IP to the ISP complaining about the offender. Since Sub 7 probes and scans are so common they will probably ignore the e-mail anyway unless it was an outright Sub 7 intrusion. If you know you do not have a Sub 7 server installed, I would not worry about it, because the scanner will not see a server running and will go to the next machine, the next, and, well you get the idea.
To make sure you do not have any Sub 7 servers running, get a copy of The Cleaner found here: www.moosoft.com
Hope this helps.
-
To track down the source of a scan:
Does not the Sonic Wall log contain source and destination Ip addresses? That could be a starting point right? I find Fin scans and netbus attacks (per log reporting) all the time. Often from one IP in a batch.
-
Yes, I do get the source IP address. However I have not noticed any patterns.
What would you suggest to use for IP lookup? The tool I have used doesn't seem very reliable.
-
-
Re: SonicWall
Quote:
Originally posted here by the19man
Any way to find out where they are coming from?
Any info on this issue would be much appreciated. Thanks
Ummm.... check the logs - it should give you a source IP. You can then take that to www.arin.net and get the owner of the IP address (or the NIC that can/should be able to tell you more -- you might have to rinse and repeat two, three or four times (ie. especially for *.kr IPs and similiar)).