Raw IP traffic



  • Hello!

    I have an snort machine sniffing traffic at the LAN side of my pfSense.

    snort log says there are port scanning using Raw IP protocol. The source addresses are generally from Internet. So, these attacks are bypassing my pfSense (?).

    I don't understand why …

    One of my machines is a webserver on the Internet. So, it has 80 & 443 ports opened to the Internet. I has also Samba services on the LAN side, but this service can be viewed from Internet (not NAT, not firewall rules for Samba).

    However, some of the raw IP attacks can see that ports 139 and 445 are opened for this machine (?).

    Example:

    #(1 - 42473) [2007-05-14 14:59:53] [snort/122:27]  (portscan) Open Port
    IPv4: AAA.AAA.AAA.AAA -> XXX.XXX.XXX.XXXX
        hlen=5 TOS=0 dlen=35 ID=50276 flags=0 offset=0 TTL=0 chksum=20299
    Payload:  length = 15

    000 : 4F 70 65 6E 20 50 6F 72 74 3A 20 31 33 39 0A      Open Port: 139.

    AAA.AAA.AAA.AAA (source address from Internet)
    XXX.XXX.XXX.XXX (private address, my machine at the LAN side of pfSense)

    Any idea?

    Thanks,

    Josep Pujadas


Log in to reply