On Tue, 13 Nov 2001, Kory Krofft wrote: > All this talk about the weblet message logs has me wondering. My firewall log > states that since yesterday I have almost 3000 denied or rejected packets. I > included a sample of the log entries below. Can someone please explain what > these lines mean? Do I have a problem? Is there a way to reset the logs from the > browser? > > Thanks, > Kory > > Nov 13 18:53:27 markii kernel: Packet log: input DENY eth0 PROTO=6 > 65.11.220.95:2905 > 65.28.237.42:80 L=48 S=0x00 I=30599 F=0x4000 T=110 SYN (#39)
cc1932507-c.jrsycty1.nj.home.com poked at woh-65-28-237-42.woh.rr.com hoping to get an http response (web page). Could be NIMDA or similar. The name can be obtained from www.samspade.org (I used "dig -x" on my Linux workstation). The source port numbers are not usually relevant. The destination port numbers are usually relevant, and you can find basic names in /etc/services, or you can search the web with google.com. The fact that it is "input DENY eth0" means it was stopped on its way into eth0. PROTO=6 is tcp, PROTO=17 is udp, other protocol numbers can be found in RFC1340 (http://RFC.net/rfc1340.html). You can find more useful information at http://leaf.sourceforge.net/devel/thc/#Security. > Nov 13 18:55:25 markii kernel: Packet log: input DENY eth0 PROTO=17 > 65.28.237.196:427 > 224.0.1.22:427 L=675 S=0x00 I=5278 F=0x0000 T=253 (#39) woh-65-28-237-196.woh.rr.com sent out a multicast udp packet to 224.0.1.22 port 427. This is apparently the behavior of netware 5.0 clients now (see http://www.sans.org/infosecFAQ/novell/exposure.htm). I would suggest adding a rule to your firewall ruleset that denies these packets without logging. [... more of the same...] > Nov 13 19:07:59 markii kernel: Packet log: input DENY eth0 PROTO=17 > 65.28.236.136:42 > 224.0.1.24:42 L=47 S=0x00 I=21740 F=0x0000 T=1 (#39) woh-65-28-236-136.woh.rr.com is offering WINS replication services to the world... (http://ntsec.inet-one.com/dir.1998-08/msg00070.html) > Nov 13 19:14:04 markii kernel: Packet log: input DENY eth0 PROTO=6 > 65.14.161.151:4929 > 65.28.237.42:80 L=48 S=0x00 I=34082 F=0x4000 T=112 SYN (#39) cp54227-a.mtgmry1.md.home.com poking around for a webserver... NIMDA? [...] > > Matt Schalit wrote: > > > Mart Kempen wrote: > > > > > > > Follow the instructions: > > > > > > > > myrouter# more /var/log/messages > > > > > > <SNIP> > > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > --------------------------------------------------------------------------- Jeff Newmiller The ..... ..... Go Live... DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/Batteries O.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --------------------------------------------------------------------------- _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
