Re: What to look at, source or destination port?
From: José Joaquín (jostein_svq_at_hotmail.com)
Date: 07/23/03
- Previous message: Dana Epp: "Re: finding who has logged in on Win2k Pro"
- Maybe in reply to: Nathan: "What to look at, source or destination port?"
- Next in thread: Vachon, Scott: "RE: What to look at, source or destination port?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: nathan.grandbois@cerdant.com, security-basics@securityfocus.com Date: Wed, 23 Jul 2003 08:32:15 +0200
Hi there,
UDP is not a connection-oriented protocol as TCP is, so it is more difficult
to track it by a mean firewall (i.e. it's quite difficult to find out which
peer is the origin of the communication). You should determine if there is
more entries in the logs like those, group them by source port and see if
the destination port it's the same.
Anyway it's a good practice to allow to pass through the firewall only
packets belonging to well known UDP protocols.
I hope this information is useful to you.
Best regards,
Jose Joaquin.
>From: "Nathan" <nathan.grandbois@cerdant.com>
>Reply-To: <nathan.grandbois@cerdant.com>
>To: <security-basics@securityfocus.com>
>CC: <firewalls@securityfocus.com>
>Subject: What to look at, source or destination port?
>Date: Tue, 22 Jul 2003 12:57:06 -0400
>
>07/19/2003 04:33:30.688 - UDP packet dropped - Source:10.30.9.60, 1042,
>LAN - Destination:remote.ip.address.x, 1948, WAN - -
>07/19/2003 04:35:48.912 - UDP packet dropped - Source:10.30.9.60, 1042,
>LAN - Destination:remote.ip.address.x, 1948, WAN - -
>07/19/2003 04:37:34.384 - UDP packet dropped - Source:10.30.9.60, 1042,
>LAN - Destination:remote.ip.address.x, 1948, WAN - -
>07/19/2003 04:40:41.576 - UDP packet dropped - Source:10.30.9.60, 1042,
>LAN - Destination:remote.ip.address.x, 1948, WAN - -
>07/19/2003 03:16:22.432 - UDP packet dropped - Source:10.30.9.60, 1042,
>LAN - Destination:remote.ip.address.x, 1948, WAN - -
>
>I recently saw these logs come across my friends firewall. I'm trying to
>determine what is going on here. I looked up the remote.ip.address.x and it
>was a AT&T Worldnet user. The destination port, 1948, is listed as eye2eye.
>Well, I looked at eye2eye's website (www.iosoftware.com) and found nothing
>about 1948. A user would have to configure the securesite software to use
>that port specifically - which is not the case. My question to the list is,
>is the source port what I should be looking at in these connections, or the
>destination port?
>
>-Nathan
>
_________________________________________________________________
Localiza y ponte en contacto con tus antiguos compañeros de clase en MSN
Compañeros. http://mipasado.msn.es/
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Dana Epp: "Re: finding who has logged in on Win2k Pro"
- Maybe in reply to: Nathan: "What to look at, source or destination port?"
- Next in thread: Vachon, Scott: "RE: What to look at, source or destination port?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
