IDS Going Crazy

SlickSlick Upstate New York
edited March 2004 in Science & Tech
Anyone have any ideas why the built in IDS for sygate firewall is going crazy in this photo, its been doing it all day.

Comments

  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited March 2004
    I would run Windows Update and grab the RPC updates and security patches offered. Then I would throw the trojan\bot remover\adware puller cocktail, AND AV at the box, making sure everything is updated first.

    Basically a BIND attempt could be new virus, could be an old one. Someone is trying to get a remote connect, or a trojan got pulled and the hacker still wants in, or you are being nmap probed. What bothers me is Sygate saying it is detecting what in essence is an exploit attack attempt and it blocked it for you-- good Sygate. Used to get those here from time to time also. Sygate will also react to a test probe for GRC, the full probe version, that way, ditto to a PC FLank site test probe series, and to a Symantec security port scan that way for some things. Be nice to know the particular port, then could tell you more possibly.

    Other possibility, without knowing port, is something using P2P wants to connect and thinks your box is a peer server or has been. Try right clicking on the TCP indicator, see if it will tell you what port was blocked. Remote access for attempt to do a takeover of box also has been known to happen with this kind of thing.

    Soimething wants to use RPC to do something on box is all I can say without ports. Sygate will default block lots of P2P also, though. And some ISPs are probing for P2P peer servers also. Those appear to be two discrete class B domains, so it is quite possible it is an ISP server probe of clients in your area. One is a non-echoing box on knology.net, the other is on optonline.net and the second naming looks like a mess I would not want to connect to.

    Let me show you a trick, simple and legal. Do this in XP:

    Start|run|CMD

    tracert 24.44.167.224

    That will give you a server by server and router by router hop identification if the routers or computers are not set to not echo in order to avoid IDing themselves. BOTH boxes are echo stealthed, which makes me wonder wassup and think you might want to check your box for gremlins as above just in case. Either way, those boxes just got a bunch of pings thrown at them.

    John D.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited March 2004
    If it's being blocked, I wouldn't worry about it. That's the whole point of an IDS.
  • SlickSlick Upstate New York
    edited March 2004
    The firewall usually blocks things easily, but the thing that worries me is that 1) it says it is a warning from the IDS, usually just the firewall post blocks, not the IDS 2) They are rated as "critical" level packets 3) They are continusly comming day and night.

    I can only think of a few reasons for this...

    1)Someone is probing me
    2)There is a new virus out
    3)My ISP is scanning me for one reason or another.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited March 2004
    According to this thread at the Sygate site, In the SPF GUI, click on Applications, scroll to SVCHOST.EXE, click the Advanced button, and uncheck the "act as server" box.

    You might also want to check here to see if you have a DCOM vulnerability.
Sign In or Register to comment.