SonicWall
Results 1 to 6 of 6

Thread: SonicWall

  1. #1
    Junior Member
    Join Date
    Jul 2002
    Posts
    8

    SonicWall

    I recently installed a SonicWall Soho3 firewall and have noticed in the logs that I am experiencing 10-15 SubSeven attacks a day. They are being dropped by the firewall, however I am still wondering if they are false positives are if they are real attacks.

    Any way to find out where they are coming from?

    Any info on this issue would be much appreciated. Thanks
    Not all those who wander are lost - J.R.R. Tolkien

  2. #2
    Sub 7 probes, scans and sniffing are very common, and most of the time it is coming from kiddies running the included port scanner on the client looking for pre-installed servers because they are too lazy to configure and send a server to a victim in the first place. On my firewall, I get at least ten hits a day, and that's just Sub 7 alone...

    As for knowing how to trace them back is a little tricky. You will have to see what ISP the probe is coming from and report the offending IP to the ISP complaining about the offender. Since Sub 7 probes and scans are so common they will probably ignore the e-mail anyway unless it was an outright Sub 7 intrusion. If you know you do not have a Sub 7 server installed, I would not worry about it, because the scanner will not see a server running and will go to the next machine, the next, and, well you get the idea.

    To make sure you do not have any Sub 7 servers running, get a copy of The Cleaner found here: www.moosoft.com

    Hope this helps.

  3. #3
    Junior Member
    Join Date
    Jul 2002
    Posts
    1
    To track down the source of a scan:
    Does not the Sonic Wall log contain source and destination Ip addresses? That could be a starting point right? I find Fin scans and netbus attacks (per log reporting) all the time. Often from one IP in a batch.

  4. #4
    Junior Member
    Join Date
    Jul 2002
    Posts
    8
    Yes, I do get the source IP address. However I have not noticed any patterns.

    What would you suggest to use for IP lookup? The tool I have used doesn't seem very reliable.
    Not all those who wander are lost - J.R.R. Tolkien

  5. #5
    Member
    Join Date
    Aug 2001
    Posts
    74
    And what tool is that?
    A squirrel with no nuts will soon starve.

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    712

    Re: SonicWall

    Originally posted here by the19man
    Any way to find out where they are coming from?

    Any info on this issue would be much appreciated. Thanks

    Ummm.... check the logs - it should give you a source IP. You can then take that to www.arin.net and get the owner of the IP address (or the NIC that can/should be able to tell you more -- you might have to rinse and repeat two, three or four times (ie. especially for *.kr IPs and similiar)).
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •