May 17th, 2005 04:20 PM
Firewall violation questions
Have been having a bit of a read on your forums and find them to be an invaluable source of security related info.
Sorry to bust straight in and ask a question, but you look like the people to ask, so here goes -
(have some background first though)
I am currently in the position of managing a small business network, 4 x workstations (2 x xp, 1 x 98se 1 x me) & 1 x server (win2000). The server is used (mainly) for a stock tracking system based on symbol ppcs (taaaaaaasty!!) and related database. The computer used as an internet gateway has an always on 1 meg asdl connection.
Not having set up the network infastructure myself, and not being able to rip it all out and start again (24 hour site operation ... waaah) I am stuck using what my predecessor set up.
So, I thinks to myself, ok, the bloke must have known what he was doing to some degree, so I shall inspect how secure the system is.
So, I find NO antivirus software, at all, whatsoever, and the only firewall was windows firewall (set to allow everything) . . . ok. . . . the computers were set up in 2004. It's now 2006 . . .waaahaa panic. !!!
So, after a few weeks of asking, I get symantec client security 2.0 and install my head off.
I found one virus called Download. trojan in a file called counter.exe and counter.cab, and deleted them after quaranteen. There was an obscene amount of spyware found as well . . .
... so onto my main point.
Which violation events do I NEED to worry about ?
When I check the logs (specificly the 'intruder detection violation events'), as from the date of the installation , I keep getting what is reported as an http_activeperl_overflow intrusion from a certain ip range, which I have traced back to a company called Level 3 Communications, Inc.
The intrusion attempts started on the 03.05.05 and increment by one intrusion extra atempt, daily, untill the 06.05.05 when i reported the repeated events to the abuse handler @ lvl 3.
The atempts have since ceased.
However, when attempting to send an abuse report email to a company called Akamai Technologies, their abuse mail addy bounced, and I had to send it to their tech inq addy. I recieved an email from them requesting that I read their faq as it is a perfectly normal piece of network traffic.
If it is a perfectly normal traffic why does my firewall list it as an intrusion attempt 'redundant_slashes_in_URI' ?
Am I being too paranoid ...? (personaly i dont think there's a state of 'too paranoid'.. ; ) )
Any input that anyone has on any of the above mentioned things would be greatly apreciated.