RE: Understanding what I am seeing - MS-SQL worm propagation attempt ...

["Michael Chapman" <MChapman () ascentmedia com>]

Please be gentle with me, as I am just getting started with analyzing
the results presented by snort!

 

I have several alerts for the above rule which I am trying to
understand.  The alerts I am seeing show my outside interface address as
the source triggering the alert, with a target inside my network.  Since
this outside interface is on a Cisco router, I am fairly sure that what
I am seeing is an infected machine inside my network trying to get out,
but I am a bit uncertain as to the veracity of that conclusion.

 

When looking at the Snort data in ACID, I see my outside interface
(public IP) as the source address, with a destination address for an
inside host (RFC 1918 IP).  However, when looking at the payload, I see
the original source as the inside host, with a destination address
somewhere in the wild (other than our own outside IP space.)
Additionally, in the ICMP section, I see "Destination Unreachable" as
the type and the code as being (13) Packet Filtered.

 

What I am thinking is that I am seeing an attempt by the infected
machine to talk to that host in the wild, and my router/firewall rules
rejecting the reply coming back.  Does that sound reasonable, or am I
completely befuddled?

 

Many thanks in advance!

 

Michael