Firewalls: Re: FW-1 logs....is this an attack...?

Firewalls
(August 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: FW-1 logs....is this an attack...?
From:	ormonde @ trem . cnt . org . br (Rodrigo Ormonde)
Date:	Thu, 31 Jul 1997 17:44:25 -0200 (GRNLNDDT)
To:	firewalls @ greatcircle . com
In-reply-to:	<33E1236C . 14B1 @ garanti . com . tr> from "Cihan Subasi" at Jul 31, 97 04:44:44 pm

> When someone accesses our Web server in DMZ I receive the following log
> which is logical,
> 
> 	http	194.242.77.89	WEbServer	tcp	7	1036
> 
> but sometimes I receive the folloving log entry which looks like our web
> server is tyring to http outside...
> 	
> 	1029 	Webserver	194.54.33.242	tcp	12	http
> 
> What I understand is prot 80 of my web server is making a request from
> 1029 of a remote host...
> 
> 	Help please,

  Well, I think the strange log entries are caused by resets sent by your
web server (in most times, reset packets come without the ack flag and
might get logged as connections request).

  I have faced this before in another product.

  Hope this helps.

-- 
Rodrigo de La Rocque Ormonde
e-mail: ormonde @
 cnt .
 org .
 br
PGP Public key: finger ormonde @
 cnt .
 org .
 br 

-> Turn your PC into a workstation - Use FreeBSD ! <-

Indexed By Date	Previous:	"Destination Static Address Translattion" under Linux using ipfwadm?... From: James Terry <james @ imxexchange . com>
Indexed By Date	Next:	Re: Firewalls FAQ From: "Marcus J. Ranum" <mjr @ nfr . net>
Indexed By Thread	Previous:	"Destination Static Address Translattion" under Linux using ipfwadm?... From: James Terry <james @ imxexchange . com>
Indexed By Thread	Next:	Re: Firewalls FAQ From: "Marcus J. Ranum" <mjr @ nfr . net>