New to the world of IDS I am seeking assistance in the interpretation of a swarm of alarms noted in the logs last week.
I have a bank of 8 IIS servers and a 4230 sensor sitting behind a PIX firewall. On any given day I will see a few hundred attempted attacks using the IIS Unicode exploit or WinNT cmd.exe access.
On one certain day I saw hundreds of thousands of such alarms. The source IP address was that of one of the IIS servers on port 80, while the destination address and port varied across a gamet of addresses and ports.
I figured that an attacker had attempted a DoS attack by spoofing the source address of an internal server (believable since I do not yet have the public interface of the PIX configured to drop packets with internal source addresses). However, I am told that it is very difficult to spoof such an IIS response so my initial assumption may be wrong.
It is possible that you are under attack or may have even been compromised by a virus.
Nimda is one such virus that attacks IIS web servers using the IIS Unicode exploit or WinNT cmd.exe access, and there are several more that use similar methods for propogating themselves.
Be sure you have loaded the latest IIS Security Patches on your web server, and be sure your Anti-Virus software is up to date. Scan your web server with the latest antivirus to determine if you've been infected.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...