MORE Suspicious Firewall Log Entries!!!

I am running a real firewall with DMZ and NAT.

I am running IIS/DNS on one box & Exchange on the other (...and i realize, after reading posts from this site, that i should be running a *nix based box, but i work with what i know, and that 'aint much)
Anyhow, yesterday i posted something similar and people told me not to worry, but these types of entries below are a daily occurence. My site is fine...as far as i know. No complaints from eMail users.

So...should i just forget about these "attacks"? Does this happen to all of you also?

Humbly,
retfarcratS


06/05/2003 08:50:08.640 Probable TCP FIN scan 64.41.142.141, 80, WAN xxx.xxx.xxx.xxx, 27690, LAN
06/05/2003 08:46:18.032 Sub Seven Attack Dropped 80.179.0.187, 3265, WAN xxx.xxx.xxx.xxx, 1243, WAN

06/05/2003 07:50:08.896 TCP connection dropped 66.78.26.2, 42300, WAN 192.168.168.4, 113, LAN 'Authentication' 6
06/05/2003 07:49:07.320 UDP packet dropped 217.128.206.88, 56321, WAN xxx.xxx.xxx.xxx, 137, WAN
06/05/2003 07:47:49.112 TCP connection dropped 66.78.26.2, 42209, WAN 192.168.168.4, 113, LAN 'Authentication' 6

06/05/2003 02:57:38.480 TCP connection dropped 193.231.125.88, 3409, WAN 192.168.168.4, 1080, LAN 'Socks' 6

06/05/2003 02:18:24.016 TCP connection dropped 211.194.117.164, 3222, WAN xxx.xxx.xxx.xxx, 25, WAN 'Send Email (SMTP)' 0

06/04/2003 22:17:39.176 TCP connection dropped 64.77.25.153, 4476, WAN xxx.xxx.xxx.xxx, 135, WAN 'RPC Mapper' 0

06/04/2003 19:19:15.896 TCP connection dropped 217.85.138.88, 1291, WAN xxx.xxx.xxx.xxx, 21, WAN 'File Transfer (FTP)'

I expect that someone's connected to IRC from the box (or somehow NAT'd to the same IP).

A lot of IRC servers send back ident requests on port 113 - some also scan for open proxies (so they can ban users who are using one)

But essentially, all of that is normal for a box on the internet:

- Connections to port 80 (www) - IIS Worms
- Port 25 - spammers scanning for open relays to spam through
- Port 21 - Warez kiddies looking for open FTP servers to dump their warez in
- 1080 (socks) or any other port commonly used by proxies - kiddies looking for open proxies (and sometimes IRC servers checking for open proxies that the kiddies might be using to attack them through)
- Subseven - kiddies again

The kiddies are usually responsible. They are looking for either an easy way in, or a proxy server to use to hide their tracks better.

There really is no point trying to follow up any of this stuff as there is just too much of it. Any vigilant IDS admin will turn off these rules after a few days of looking at the logs :)

Thank You Slarty.

Humbly,
retfarcratS

Yep, should you throw a "real" IDS up and sniff the perimeter router (as I do) you will see all kinds of stuff. We generate about 2GIG of IDS traffic a day and using signatures from the IDS manufacturer, we see all of the usual suspects knocking at the front door. NMAP scans, IIS, BugBear, WebDAV, source routed traffic, etc. The log entries that you need to worry about are the ones that aren't there if you catch my drift ;)

thehorse13,

Yesterday I downloaded Snort. However, I have NO idea how to get it to work...learning the language and all...etc.

I'm sure there are other NDIS proggies out there that are a little easier for the "noob".

Thanks for you help.

Humble,
retfarcratS

Ret: Try PureSecure's Windows version based on Snort. It's free for non-commercial use and is easy to install with a nice interface and some additional features.

Try it here