Folks,
I have a bunch of alarm reports from my NetScreen firewall that have me perplexed. They look like:
ActiveX control blocked! From OUTSIDEIP:80 to MYIP:2264 ActiveX control blocked! From OUTSIDEIP:80 to MYIP:2263 ActiveX control blocked! From OUTSIDEIP:80 to MYIP:2262 ActiveX control blocked! From OUTSIDEIP:80 to MYIP:2258 UDP flood! From DIFFERENT_OUTSIDE_IP:53 to MYIP:2256
and then some others originating from inside my network:
UDP flood! From MYIP:137 to OUTSIDEIP:137 UDP flood! From MYIP:137 to DIFFERENT_OUTSIDEIP:137
The port 137 traffic I assume is netbios/reverse ns activity (either surfing onto windows servers from the my server (MYIP), or web activity to our server (which is win 2003)). If that's the case, should I allow port 137 originating from inside my network to help with logging?
Searching the web for the port ranges for the blocked ActiveX control has turned up no info. Could that be from surfing the web from our server as well? I should mention that a reverse NS lookup on the remote IPs doesn't turn up any domains that looks familiar (beyond regular ISP domains (comcast, etc).
Thanks, Patrick