Re: help with analysis of firewall log
From: Ashok Aiyar (aiyar@ebv.mimnet.northwestern.edu)Date: 02/27/02
- Next message: James Riden: "Re: Who is doom and Elite? + ssh question"
- Previous message: Barry Margolin: "Re: Possible PASV port theft"
- In reply to: Hal Burgiss: "Re: help with analysis of firewall log"
- Next in thread: Hal Burgiss: "Re: help with analysis of firewall log"
- Reply: Hal Burgiss: "Re: help with analysis of firewall log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Ashok Aiyar <aiyar@ebv.mimnet.northwestern.edu> Date: 27 Feb 2002 16:07:34 GMT
On Wed, 27 Feb 2002 14:50:36 GMT,
Hal Burgiss (hal@burgiss.net) wrote:
>> port attempts protocol explanation
>> 8 290 udp ??
>
> My guess is this one is actually ICMP type 8, and not a port. I've seen
> some log analyzers that do this.
Well, the raw iptables log indicates it is UDP port 8. I don't have
iptables configured to log icmp. I have attached a sample entry below:
Feb 22 17:06:31 ebv kernel: fw filter: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:00:39:d0:40:e1:08:00
SRC=192.168.1.103 DST=255.255.255.255 LEN=196 TOS=0x00
PREC=0x00 TTL=128 ID=278 PROTO=UDP SPT=8 DPT=8 LEN=176
All 290 happened consecutively, and came from the same IP address.
Strange ...
>> 33486-33524 39 udp
>
> Traceroute?
Definitely. I agree. I haven't been able to figure out what the
others are, and couldn't find descriptions on SANS, which was the
reason for my post ...
Cheers,
Ashok
-- Ashok Aiyar RLU #51601
- Next message: James Riden: "Re: Who is doom and Elite? + ssh question"
- Previous message: Barry Margolin: "Re: Possible PASV port theft"
- In reply to: Hal Burgiss: "Re: help with analysis of firewall log"
- Next in thread: Hal Burgiss: "Re: help with analysis of firewall log"
- Reply: Hal Burgiss: "Re: help with analysis of firewall log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
