Just some of the stuff I've seen splatting against the box today, also from 192.168.27.x (my eth1 is the external interface):
Is there a way besides snort to capture & examine these packets? -Blanton Dec 19 09:42:28 (none) kernel: Packet log: ext-if DENY eth1 PROTO=1 192.168.27.24:8 24.155.29.78:0 L=1500 S=0x00 I=53505 F=0x4000 T=242 (#6) Dec 19 09:42:28 (none) kernel: Packet log: ext-if DENY eth1 PROTO=1 192.168.27.21:8 24.155.29.78:0 L=1500 S=0x00 I=25601 F=0x4000 T=242 (#6) Dec 19 09:42:29 (none) kernel: Packet log: ext-if DENY eth1 PROTO=1 192.168.27.25:8 24.155.29.78:0 L=1500 S=0x00 I=35073 F=0x4000 T=242 (#6) Dec 19 09:44:42 (none) kernel: Packet log: ext-if DENY eth1 PROTO=1 192.168.27.25:8 24.155.29.78:0 L=1500 S=0x00 I=45313 F=0x4000 T=242 (#6) Dec 19 09:44:44 (none) kernel: Packet log: ext-if DENY eth1 PROTO=1 192.168.27.23:8 24.155.29.78:0 L=1500 S=0x00 I=32769 F=0x4000 T=242 (#6) Dec 19 09:45:06 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40 S=0x00 I=25633 F=0x4000 T=51 (#6) Dec 19 09:45:08 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40 S=0x00 I=25634 F=0x4000 T=51 (#6) Dec 19 09:45:09 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40 S=0x00 I=20776 F=0x0000 T=51 (#6) Dec 19 09:45:11 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40 S=0x00 I=20777 F=0x0000 T=51 (#6) Dec 19 09:45:12 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40 S=0x00 I=25635 F=0x4000 T=51 (#6) Dec 19 09:45:17 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40 S=0x00 I=20778 F=0x0000 T=51 (#6) Dec 19 09:45:19 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40 S=0x00 I=10497 F=0x4000 T=51 (#6) Dec 19 09:45:28 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40 S=0x00 I=33793 F=0x0000 T=51 (#6) Dec 19 09:45:28 (none) kernel: Packet log: ext-if DENY eth1 PROTO=1 192.168.27.24:8 24.155.29.78:0 L=1500 S=0x00 I=1025 F=0x4000 T=242 (#6) Dec 19 09:45:34 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40 S=0x00 I=10498 F=0x4000 T=51 (#6) Dec 19 09:45:50 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40 S=0x00 I=33794 F=0x0000 T=51 (#6) Dec 19 09:46:03 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40 S=0x00 I=10499 F=0x4000 T=51 (#6) Dec 19 09:46:34 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:6165 L=40 S=0x00 I=33795 F=0x0000 T=51 (#6) Dec 19 09:47:01 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.32:80 24.155.29.78:10675 L=40 S=0x00 I=10500 F=0x4000 T=51 (#6) Dec 19 09:47:18 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:12005 L=40 S=0x00 I=33796 F=0x0000 T=51 (#6) Dec 19 09:47:19 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:12005 L=40 S=0x00 I=33797 F=0x0000 T=51 (#6) Dec 19 09:47:21 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:12077 L=40 S=0x00 I=19 F=0x0000 T=51 (#6) Dec 19 09:47:21 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:4440 L=40 S=0x00 I=20 F=0x0000 T=51 (#6) Dec 19 09:47:22 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:12005 L=40 S=0x00 I=33798 F=0x0000 T=51 (#6) Dec 19 09:47:25 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:12077 L=40 S=0x00 I=21 F=0x0000 T=51 (#6) Dec 19 09:47:25 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:4440 L=40 S=0x00 I=22 F=0x0000 T=51 (#6) Dec 19 09:47:27 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.24:80 24.155.29.78:12005 L=40 S=0x00 I=33799 F=0x0000 T=51 (#6) Dec 19 09:47:33 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:4440 L=40 S=0x00 I=6401 F=0x0000 T=51 (#6) Dec 19 09:47:33 (none) kernel: Packet log: ext-if DENY eth1 PROTO=6 192.168.27.23:80 24.155.29.78:12077 L=40 S=0x00 I=6401 F=0x0000 T=51 (#6) Dec 19 09:47:33 (none) kernel: Packet log: ext-if DENY eth1 PROTO=1 192.168.27.23:8 24.155.29.78:0 L=1500 S=0x00 I=39169 F=0x4000 T=242 (#6) Dec 19 09:47:33 (none) kernel: Packet log: ext-if DENY eth1 PROTO=1 192.168.27.23:8 24.155.29.78:0 L=1500 S=0x00 I=39169 F=0x4000 T=242 (#6) ----- Original Message ----- From: "Patrick Benson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 19, 2001 2:22 PM Subject: Re: [Leaf-user] Help understand unusual packets > Scott wrote: > > > > I've been getting tons of these mysterious packets. Eth0 is my external > > interface so it's unusual that these two private IPs are hitting it. I > > checked it against that ipchains log decoder (forgot the website) which > > mostly brushed it off as non-threatening. However, 216.231.46.238 was the > > result of a big nasty DOS attack last weekend so I'm suspicious of > > everything. Any insight is most helpfull. > > > > The offending packets (they are constantly coming in): > > > > Dec 19 09:30:19 mail kernel: Packet log: input DENY eth0 PROTO=6 > > 192.168.27.31:80 216.231.46.238:14641 L=41 S=0x00 I=35612 F=0x4000 T=51 > > (#10) > > > > Dec 19 09:30:26 mail kernel: Packet log: input DENY eth0 PROTO=6 > > 172.16.0.110:80 216.231.46.238:32992 L=40 S=0x00 I=34533 F=0x4000 T=238 (#9) > > > > -Scott > > Scott, > > Is there a chance that your ISP uses those private nrs. on their > internal network? My ISP uses 192.168.x.x and 172.17.x.x. That could be > a hint to why you're getting packets on your eth0...Do you know if your > ISP uses any sort of proxies with http? > > > -- > Patrick Benson > Stockholm, Sweden > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
