Re: TPF log

From: Devdas Bhagat (devdas@worldgatein.net)
Date: 07/23/01


From: Devdas Bhagat <devdas@worldgatein.net>
To: Juan Mejia <jmejia@uchile.cl>, Juan Mejia <jmejia@uchile.cl>, security-basics@securityfocus.com
Subject: Re: TPF log
Date: Mon, 23 Jul 2001 22:31:35 +0530
Message-Id: <01072322365306.29134@office.interoffice>

On Sun, 22 Jul 2001, Juan Mejia spewed into the ether:
> Hello,
> I set Tiny Personal Firewall to "log packets to unopened
> ports" . Now the log shows me an entry like this each and every
> minute:
> 1,[date/time] Rule 'Packet to unopened...': : In UDP, LAB [0.0.0.0:68]->localhost:67, Owner: No owner
Looks like a bootp/dhcp packet. Do you have a DHCP server running?

> So I wonder what does this ip address means? I suppose it's my
> own pc (since its name is LAB) but I'm not sure about it. Also why is it appearing
A DHCP server has to broadcast the ip address (It obviously cannot send
to an IP address because the machine to which this is addressed to does
not have an IP address yet).

> exactly each and evey minute the pc is turned on?
> I've seen port 67 is for bootstrap pc but don't know what it is
> for. In case it's my own pc, how could I stop this?
All the time is a bit too much though. bootps is for remote booting
machines/ dumb terminals.

<snip>
> Any comments from you guys will help make a win user more security
> concious and able to make hackers life more difficult. ;-}
Run snort, and maybe use a sniffer to analyse the traffic.

Devdas Bhagat

--
As some day it may happen that a victim must be found
I've got a little list -- I've got a little list
Of society offenders who might well be underground
And who never would be missed -- who never would be missed.
		-- Koko, "The Mikado"