Thanks for your help. With this I sent a small description about how network has bean setting up and the hardware that the we are using.
Network 1 : 10.10.X.X / 255.255.0.0 (The Other Company/Firewall) Network 2 : 192.168.5.X.X / 255.255.0.0 (My company) The Switch we have 2 Vlans. The Switch and Gateway/Firewall is controlled by the other company. The Router connect us to the internet. The router is controlled by ISP -------- -------- ------------- |Router| |HUB | |Comp. (Win)|(192.168.X.X) |Cisco |---->| |--->|Network 2 | -------- -------- ------------- (192.168.X.X) | |_____________________ (10.10.X.X) | |(port Vlan2) v v ---------- ----------(Vlan 2) 192.168.X.X |Gateway | |Switch |-------->NetWork 2 (Windows) |FireWall|------------>|3Com |(Vlan 1) |(Linux) | (port Vlan1)| |-------->NetWork 1 (Windows) ---------- ---------- 10.10.X.X (10.10.X.X) (10.10.X.X) ----- Original Message ----- From: "Tarragon Allen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 20, 2001 11:32 PM Subject: Re: [expert] Firewall Log Question > On Wed, 21 Nov 2001 14:09, Eduardo Bencomo wrote: > > We are in a mixed network, which includes a router Cisco, a 3COM swich > > common to the two networks and a hub where gateway/fire wall linux computer > > is connected. > > > > One of the network is my company network (192.168.X.X / 255.255.0.0. I am > > in charge of it) and the other network belongs to other company (10.10.X.X > > / 255.255.0.0). This company has a VPN. Now, they are accusing me as > > hacker, alleging we have tried to go into their VPN. As prove of tha t , > > they are showing the following type of message: > > How do they know it's your network? The 192.168.x.x range is used by many > many many people out there to define their internal networks, and is in fact > supplied on spec (in one of the RFC's) for this very purpose. Just showing > some logs with that IP in it doesn't seem to constitute any proof whatsoever > that your particular network was involved. > > The actual packets they've listed here appear to be NetBIOS broadcasts. > These are sent by Windows clients when they are trying to poll the network > for other Windows machines. It looks to me like Windows machines using > 192.168.x.x is trying to poll something on their network. Again, no > indication that it's neccesarily from *your* network, it could be any machine > using those IPs with a subnet mask of 255.255.0.0. > > If they are seeing these packets, how did they make it there? If they are > running a VPN, the only way they could see these packets from your network > would be if someone using that IP connected to their VPN and then forwarded > packets to them. Unless they can provide more proof (perhaps with > explanations of where they think the traffic is coming from, rather than a > pile of oblique logs from a network and host you have no more information > about) there's not much you can do. > > A "more information is required" situation. Also, I'd assume it's not > "hacking" - it feels more like some sort of misconfiguration to me. > > Btw, is this other company on the same network or share network hardware? > What connections do you have to this company? Could it be something as > simple as a patch lead connecting two hubs together? > > t > > > Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6 > > > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 > > SYN (#70) > > > > Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17 > > 192.168.2.185:138 > > > > 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71) > > > > Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6 > > > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 > > SYN (#70) > > -- > PGP key : http://n12turbo.com/tarragon/public.key > > ---------------------------------------------------------------------------- ---- > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com