Strange SmartDefense entries

[gfont96]

Hello All,

Like a good chap I was going through firewall logs and saw the following;

Number: 22816
Date: 11Dec2006
Time: 2:14:05
Product: SmartDefense
Attack Name: Storm Center Block List Enforcement
Attack Information: Packet originated from a host on the DShield block list
Origin: fw-module
Type: Log
Action:
Service: 1026
Source: somehost.net (x.x.x.x)
Destination: x.x.x.x.
Protocol: udp
Information: Total logs: 2
Suppressed logs: 1

These entries show as green (like accepted) but there is nothing in the interface column.

Should I be worried !

Cheers,

George

[northlandboy]

It looks like you've configured automatic blocking based on DShield's block list. Those lists are based on reports of bad traffic from various netblocks - e.g. persistent worm traffic.

If you're happy doing that, then it's OK. Depends what your site policy is. Looks like maybe you have it configured just to log, not drop the traffic.

Was it traffic that you consider legitimate traffic?

[gfont96]

Hi northlandboy,

I hope you are well. Yes I have the retrieve and block IP list from dshield selected.

Other connections have been made from this source and have been blocked. I wouldn't think this is legitimate traffic.

This one looked odd as it was green as oppose to red. I checked out the IP range and it resolves to hosts in the hideout.net domain. A quick google looks like various hosts in this domain have been trying unusual things and others have been reporting it to the abuse desk of the owners without much joy.

Happened again last night about the same time. We don't have any dealings with the states in this instance we are a uk government body.

I guess I could block the entire IP block for the domain manually in a rule.

I was just interested in why it would appear as accepted as opposed to blocked.

If I have time today I think I'll try and get a snort box out there and see what I find in a capture. Out of interest really.

The host has an ssh port open which I can connect to.

Cheers,

George

[yogi_ccse]

when we have deny rule, why someone would require to go for stormcentre, i mean cpdshiled configuration?

requires ur views?

[gfont96]

Hi Yogi,

I don't know, but I am guessing (hoping) that if a connection comes in from an IP address on the list it gets rejected before being processed by any rules. This may help performance if you have lots of rules.

Cheers,

George

[chillyjim]

Yes the idea is that your dshield drop rule should be close to the top of your rule base so that, even if it looks like good traffic to another rule, it gets dropped early in the process.

[yogi_ccse]

good explanation....
but what abt false positives.
?
hth
Yogi

[chillyjim]

Quote:

Originally Posted by yogi_ccse

good explanation....
but what abt false positives.

Its a very low chance, but you should make sure your admin access to the gateway is above this rule in case you have some infected systems that are attacking the world and you get black listed.

Take a look at www.dshield.org for more information.