Hi,
Lately we have been seeing a lot of snort blocks of traffic which seems to be 'reversed'. With no specific NAT rules configured it seems that internet hosts are able to reach internal clients on specific ports. For example:
Source: 84.54.51.37:49716 Destination: 192.168.x.222:80 TP-Link Archer Router command injection attempt
How is this possible? Is the reporting wrong maybe?
Thanks,
Frank
Solved! Go to solution.
Closing the topic, as this was a pure mistake in observation/perception as the client name and OS were wrongly classified. The client IP was actually configured in NAT rule for forwarding.
Thanks
Have you enabled early access: NAT Exceptions with Manual Inbound Firewall?
Nope
<>
Not a definitive answer, but if you don't have any DNAT rules configured, and manual inbound firewall is disabled, I'd be concerned that the device (192.168.x.222) may already be compromised.
Closing the topic, as this was a pure mistake in observation/perception as the client name and OS were wrongly classified. The client IP was actually configured in NAT rule for forwarding.
Thanks