Steve,
Yes, I have tried monitoring via ethereal at several different points on the network - no luck. My backbone is far too tightly configured for that, and the traffic seems scheduled. Also, the traffic was (originally) totally random in Source IP (spoofed) and the latest batch was actually using a source and destination IP class of 172.24, which as you know is the protected network class assigned by iana. The traffic is very tightly directed and without any real pattern so far. If I had not scanned everything in real-time and then online, I would say it was a Trojan or virus. Danny -----Original Message----- From: Steve Leach [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 1:18 PM To: Cox, Danny H. Subject: Re: [gb-users] Syslogger - that works? Cox, Danny H. wrote: Old story new cover... The email below is in reference to my much earlier request for a "good" syslogger. Something I still need. I would also like to see GTA figure a way to capture the MAC address as well as the other data. My reason is simple - see the log data roughly 9 lines down! Something is managing to get behind the firewall and initiate this crap. I have scanned all systems via real-time and using Online and all computers are clean. If I was any more clamped down, I would not be able to breathe. VPN appears clean, DMZ is clean. So you tell me where this crap is originating from! The GTA ver 3.4.0 (Flash) logs are worthless for this one because they do not provide a MAC address. Danny <LOG DATA> ALARM NO: 1 DATE: Thu 2004-01-22 18:55:22 GMT INTERFACE: Protected (xl0) INTERFACE TYPE: Protected ALARM TYPE: Possible spoof IP PACKET: TCP [198.202.130.170/1239]-->[64.35.110.11/80] l=0 f=0x2 [198.202.130.170/1239]-->[64.35.110.11/http] DETAILED DESCRIPTION: Return interface for IP packet is different than arrival. <LOG DATA END> John Stokes ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/ Danny, Have you tried putting a packet capture application on the protected network? An older system with Red Hat 9 or some such and useing Ethereal or whatever would suffice if you have a decent size disk drive to capture say 12 hours of data and then study it to try and get a Mac address relationship. -- Best Regards, Steve Leach Network Manager MI International Ltd Tel: +44 (0)1642 356 205 Fax: +44 (0)1642 356 229 [EMAIL PROTECTED] www.mi-int.com www.askalix.com DISCLAIMER Any opinions expressed in this e-mail are those of the individual and not necessarily of MI International Ltd. This e-mail and any information or files transmitted with it, including replies and forwarded copies, are confidential and intended solely for the use of the intended individual or entity. If you are not the intended recipient, please e-mail [EMAIL PROTECTED], along with a copy of the e-mail. ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
