On Sun, Dec 31, 2000 at 03:36:13PM -0500, Bob Bernstein wrote: > On Sun, Dec 31, 2000 at 12:16:59PM -0700, JD Kitch wrote: > > > Dec 31 11:06:47 tower kernel: Packet log: output REJECT eth0 PROTO=17 > > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7632 F=0x0000 T=127 > > (#43) > > I don't know what tool generated this log entry. This is a situation where a > good IDS such as snort would shed a lot of light. For example, grepping a > set of snort rules for that port yields:
While I agree snort is a good tool, I fail to see why the poster blanked out the source address but left the dest address. Therefore all speculation about "where" this packet came from is a bit premature. > What I gather is that this could be a student at isi.edu, which is > apparently part of the Univ. of California, trying his or her hand at > configuring an NT box in some weird way. Who knows? Come ON people, 172.16.0.0/12 is part of RFC 1918 Private Network Addresses. Also, in this case it's the poster's IP address (must be using NAT somewhere along the way). My (worthless) guess: the provider just got a new HP Openview box and it's doing autodiscovery on the network. Cheers, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton
pgp9cI6selcC2.pgp
Description: PGP signature
