help with analysis of firewall log

From: Ashok Aiyar (aiyar@ebv.mimnet.northwestern.edu)
Date: 02/27/02

  • Next message: Adam Price: "Re: Possible PASV port theft" 

    From: Ashok Aiyar <aiyar@ebv.mimnet.northwestern.edu>
Date: 27 Feb 2002 03:20:20 GMT

    I use an iptables-firewall with my Linux PC. I just analyzed the
    firewall log on the basis of another post earlier to-day indicating
    an increase in port 139 connection attempts.

    I don't see that in my logs, but have noticed other attempts that I
    don't understand. A summary with port number, number of attempts and
    protocol is included below. I have marked the items I don't understand
    with "??". Insights into these items would be appreciated.

    Thank you,
    Ashok

    Total Attempts: 741
    port attempts protocol explanation
    8 290 udp ??
    23 5 tcp
    67 235 udp
    119 17 tcp
    137 20 udp
    139 13 tcp
    161 18 udp
    162 53 udp
    427 20 udp ??
    548 3 tcp
    2222 10 udp ?? known tcp vulnerability (not udp)
    2301 9 udp ?? known tcp vulnerability (not udp)
    5480 2 tcp
    8074 1 tcp ??
    9282 1 udp ??
    12290 1 tcp ??
    27374 2 tcp
    33486-33524 39 udp
    33580 1 tcp ??
    38159 1 tcp ?? 

    -- 
Ashok Aiyar
RLU #51601

    Relevant Pages

    • Re: trouble creating policy to access port on internal nic?
      ... Make sure this access rule is on top of the firewall policies list. ... I can see that port 6502 is being denied with the ... I created a firewall policy that allowed ports 6502-6503 for tcp (receive ... I get the same Denied - default rule in the firewall log. ...
      (microsoft.public.isa)
    • Re: ZoneAlarm log shows probes *from* 127.0.0.1 ?
      ... > dump,probably windows machines. ... day) and since its a dialup connection, it would be related to howoften ... firewall log, this only happens sometimes... ... Use a port listener,bind it to port 80 on the loopback, play around ...
      (comp.security.firewalls)
    • Re: Allowing all AD traffic to DCs
      ... I am having trouble opening the proper ... ports on all DCs needed for proper functionality of FRS, ... so I checked the firewall log and saw that traffic ... Can anyone give me a complete list of every port that needs to be ...
      (microsoft.public.windows.server.active_directory)
    • Re: cant remote connect to mailman on panther server
      ... from your remote machine, where adminport is 80 or whatever the mailman ... But I don't know for sure that mailman is on port 80 ... But it would appear the firewall log is lying, or else I can't read, or ...
      (uk.comp.sys.mac)
    • Re: Keep connecting to remote host on port 7869
      ... > My redhat linux mail host keeps connecting to other remote host quite ... > frequently on remote port 7869. ... > Below is the firewall log: ... This will make the linux box hang waiting ...
      (Incidents)