I agree with Chau. Sub7 is quite old so unless your firewall actually analysed the packets sent by the probe, I would guess
that someone's just using the same port that Sub7 used. A year or two ago someone contacted our upstream (they didn't bother
notifying us...they immediately escalated...dumbass) accusing us of performing a Sub7 attack on his box. At the time we had a
couple dozen users but they were fairly clued and knew better than to try something like that.
I modified the kernel to look out for outbound packets on the Sub7 port and to report who did it, with what program, etc. A few
weeks later it flagged one of our users. Turns out his home box was on dialup which meant the IP periodically changed. Normally when
this happened, his box would contact a dynamic dns service to update his record. When that didn't happen, he'd run a program on our
machine that would scan his ISP's netblock (bad!!) looking for his box. The port he used was, you guessed it, 27374...aka "the sub7 port."
So while this user definitely committed a no-no and got a smack-down for his efforts, it was in no way related to a Sub7 attack.
In general, if you're not running an IDS program like snort (and most firewalls don't do enough analysis to qualify as an IDS), it's too
error-prone to equate a port number with a specific attack. And even snort generates alot of false alarms :/
