On Wednesday 03 March 2004 12:33 pm, Mike Fehse wrote: > Some times it is after a nasty day of mblaster, > code_red, and so forth, that some of our users find > the little green guys in the IDS logs.
Those would be the kind that you actually do want to be logged since it can be evidence of someone trying to gain access to the system by spoofing IP's. > Other times, > just adding a computer, or a new program, to theire > LAN does the same. Since we can't always determind > the problem, just adding to the knowldge base is a > help. > > Would you mind if I added your experiance to our FAQ? Not at all. In fact, my own ability to track down the cause was aided by discussions about rp_filters from firewall discussions and some of the things that caused spurious martians on those. I suspect that I could tailor a rule on the firewall of the router to drop these, or if I cared to delve a little more deeply into how CUPS does its broadcasting, I would be able to eliminate them that way. Another thought that I had was to setup a static route for the loopback to try to totally eliminate that traffic from hitting the router altogether but since the CUPS broadcast does have to go out to the local netrange, I am not sure that would eliminate the problem. I might look into some of the discussions at IPCOP to see if there are any specific steps that I might take to research it further. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com