Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: WIldkow on August 20, 2003, 09:20:49 PM

Title: Firewall Assaulted and SAG ?'s.
Post by: WIldkow on August 20, 2003, 09:20:49 PM

For the past two days I have received over 500 Snort/ACID alerts  for "ICMP PING CyberKit 2.2 Windows" almost all coming from different ip's but almost all in this range 24.xxx.xxx.xxx.  This is the same range or ip for AT&T which is my ISP.  So I am assuming that someone is bouncing this ping off these ip addresses.  Fact is I'm a bit of a n00b so my question is what should I do?

Guardian (not Dan's) is not blocking these, that I can see in the Guardian log.   Is there a way to have these addresses or this type of PING blocked for 24+ hours automagically?

Another question at a friends site we have a ISDN/DSL Router with a public ip address feeding into our e-smith/SME box over a private ip address.  Then out to the local LAN.  with SAG as the IDS.  Is there a way to monitor the public ip address from the e-smith/SME box and if so will ACID/Guardian work.  I have done some research and I found info on "Sensors and var HOME_Net" for Snort but am still confused as to the implementation.

TIA

Wildkow

Title: Re: Firewall Assaulted and SAG ?'s.
Post by: Steve Bush on August 20, 2003, 10:41:24 PM

We use sprint and I'm getting the same thing from Sprint IP's.

Title: Re: Firewall Assaulted and SAG ?'s.
Post by: WIldkow on August 20, 2003, 11:29:14 PM

I got this back from Sunflower.com an ISP which I complained to about their customers.  Boy that was quick, and personal wish I had them instead of Comcast.


Brian
It's not a single person.  We're an ISP (Sunflower) and there's a new virus out that is pinging multiple comptuers.  It's the Nachi virus.  Here's a link about it: http://www.sophos.com/virusinfo/analyses/w32nachia.html

We're addressing the issue and addressing customers as we identify them as being infected.  This is not an attack upon you per se, it's just viruses trying to spread.

Title: Re: Firewall Assaulted and SAG ?'s.
Post by: dave on August 21, 2003, 01:13:32 AM

WIldkow,

This is impressive (the response).  I've sent dozens of such complaints off to as many ISP's and if I get anything back, it's an auto response (and that's rare).  That this group actually hand wrote a response to you is unheard of.

Nice to know there is at least one ISP interested in what's going on in their network.

Dave