TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hello everybody,
I've got another very interesting question... Our RS 3.2.1 network engine
detected within 12 hours 4 Tribe_Flood_Network events which looked like this
(they only differed from one another by the date):
*** BEGINNING ***
Source Address: xxx.xxx.xxx.xxx (one of our servers address)
Source MAC Address: xx:xx:xx:xx:xx:xx
Destination Address: 63.210.241.4
Destination MAC Address: xx:xx:xx:xx:xx:xx
Time: Wednesday, July 19, 2000 09:26:41
Protocol: ICMP (1)
ICMP Type: Echo Reply
ICMP Code: None
Priority: high
Actions mask: 0x244
Event Specific Information:
Command: Reply
Message: mailto:[EMAIL PROTECTED] for questions This ICMP
EC
*** END (it ends abruptly with "EC")***
I have no more clue, because session recording was not enforced. So what do
all this mean? Was the mentioned Message "mailto:ops@..." included in the
echo request packet or in the echo reply packet? It would be very strange
that it be in the reply packet originating from our machine...
So I did the following:
*** I checked all the daemons running on our incriminated server and found
nothing suspect. Nothing suspect neither from our integrity checking tool.
*** I checked with "whois" the 63.210.241.4 address, and it doesn't seems
related with Digital Island (-> digisle.com). Spoofed?
Have you got any idea? Have you already met similar cases? It doesn't seem
to be originating from a TFN daemon, but is it really a false positive?
Thank you for your valuable help, and hope you have a good day/night!
Erik
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
