Re: NIS 2003 dropped packets

From:
Date: 10/13/02 

Date: Sun, 13 Oct 2002 11:10:18 GMT

"Gary Streeter" wrote in message
I've installed NIS 2003 and am getting many records in the firewall log like
the one below whenever I use IE. I can't find anything about this in the
manuals or on the Symantec web site. Does anyone know what this means?

Details: TCP non-syn/non-ack packet on invalid connection. Packet has been
dropped
Source IP address: dmzweb4.europe.creative.com(193.95.171.84)
Destination IP address: jupiter(192.168.0.100)
TCP Source Port: http(80)
TCP Destination Port: 1163
TCP Message Flags: 0x00000018

First question, based on the destination IP, are you behind a router?
Second, had you been to the site in the source IP address (creative.com)?
If so, then looking at the source port (http 80), it is likely just a late
packet arriving to your system as a result of being at the site that NIS no
longer considers part of an active connection and has dropped. If this is
the case, it is nothing to worry about.

NIS2003 scrutinizes incoming packets closer than previous versions and it is
not unusual to see these late packets being dropped and showing up in the
logs. One way to help determine if it is just late packets being dropped is
to check the source port and IP. If they coincide with recent connections
you have made ie. http port 80, nntp port 119, then they are nothing to
worry about.

However, certain types of unsolicited traffic/scans will also show up with
this type of log entry. An example of this would be the stealth scan at
pcflank.com Part of the stealth scan will show in your logs as the TCP
non-syn/non-ack packet, part will show up in the IDS log.

So to determine what may be going on, you have to look at all the
information (source IP, source port, etc.) that is provided in the log
entry.

Regards,
Jim

Relevant Pages

  • Strange traffic from my DSL router
    ... My home computing setup consists of a single multiboot PC and a Westell 6100-E90 DSL modem/router. ... I've observed a bizarre pattern of packets being issued by the Westell 6100. ... The first request after boot logged by iptables in /var/log/messages has a source port of 1032. ...
    (comp.os.linux.networking)
  • Strange Port 0 Traffic
    ... sources using UDP originating from a source port of 10000 and coming to ... The traces showed no internal servers/desktops/devices ... Attached is a sanitized trace of some of these packets. ... Network with over 10,000 of the brightest minds in information security ...
    (Incidents)
  • Re: use ipchains to block all ports > 60,000
    ... packets you sent out without allowing other incoming packets from the ... certain) that the packets from source port> 60K are masqueraded. ... firewall rule. ... If you are masquerading and you do put this rule in, ...
    (comp.os.linux.security)
  • RE: Increase in TCP 6129 (Dameware) scans?
    ... tcpdump: WARNING: xl1: no IPv4 address assigned ... The sequence numbers of the TCP packets remain the same ... I assume it would increment the source port by one and also increment the ... > are just sniffing for machines that are listening on ...
    (Incidents)
  • Re: SMTP and tcp ports
    ... added the other ACE with source port eq smtp. ... AND that it actually uses a TCP source port ... Inspection is another unresolved issue. ...
    (comp.dcom.sys.cisco)
Quantcast