Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
On Sun, 24 Nov 2002 at 12:30:25PM +0100, Tore Nilsson wrote: > Thanks. Well, I'm not using FTP on the box, so all traffic directed at > that port is dropped by IPTables. Actually, these messages are from my > system log (and it was IPTables who logged it there). But, do you think it > was an attempt to break in? I got 4-5 of each of those 2. And 1 of the > "WARNING: Fraglist" message... Most likely a random port scan. I get them all the time. Since port scans are technically "legal" in the US (there is case law to back this, look on google) there is not much you can do about it ttyl -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #188: Plate voltage too low on demodulator tube
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
On Sun, 24 Nov 2002 at 12:30:25PM +0100, Tore Nilsson wrote: > Thanks. Well, I'm not using FTP on the box, so all traffic directed at > that port is dropped by IPTables. Actually, these messages are from my > system log (and it was IPTables who logged it there). But, do you think it > was an attempt to break in? I got 4-5 of each of those 2. And 1 of the > "WARNING: Fraglist" message... Most likely a random port scan. I get them all the time. Since port scans are technically "legal" in the US (there is case law to back this, look on google) there is not much you can do about it ttyl -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #188: Plate voltage too low on demodulator tube -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
Thanks. Well, I'm not using FTP on the box, so all traffic directed at that port is dropped by IPTables. Actually, these messages are from my system log (and it was IPTables who logged it there). But, do you think it was an attempt to break in? I got 4-5 of each of those 2. And 1 of the "WARNING: Fraglist" message... //Tore Nilsson >On Sat, 23 Nov 2002 at 02:11:00PM +0100, Tore Nilsson wrote: >> Hello! >Greets. >> Got this message sent to me by email from logcheck: >> snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 >Not a clue...sorry. > >> I also got this: >> Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 >> DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP >> SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 >Someone from 200.214.189.168 tried to connect (SYN) to your machine on >port 21 (FTP-Control) suggesting a TCP/IP Window size of 5 kb. It is >up to the administrator to decide if this is acceptable activity. > > >> Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 >> DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP >> SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 >Same, except a different IP and a window size suggestion of 32 kb > > >ttyl, >-- >Phil > >PGP/GPG Key: >http://www.zionlth.org/~plhofmei/ >wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import >-- >Excuse #8: Hardware stress fractures
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
Thanks. Well, I'm not using FTP on the box, so all traffic directed at that port is dropped by IPTables. Actually, these messages are from my system log (and it was IPTables who logged it there). But, do you think it was an attempt to break in? I got 4-5 of each of those 2. And 1 of the "WARNING: Fraglist" message... //Tore Nilsson >On Sat, 23 Nov 2002 at 02:11:00PM +0100, Tore Nilsson wrote: >> Hello! >Greets. >> Got this message sent to me by email from logcheck: >> snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 >Not a clue...sorry. > >> I also got this: >> Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 >> DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP >> SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 >Someone from 200.214.189.168 tried to connect (SYN) to your machine on >port 21 (FTP-Control) suggesting a TCP/IP Window size of 5 kb. It is >up to the administrator to decide if this is acceptable activity. > > >> Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 >> DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP >> SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 >Same, except a different IP and a window size suggestion of 32 kb > > >ttyl, >-- >Phil > >PGP/GPG Key: >http://www.zionlth.org/~plhofmei/ >wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import >-- >Excuse #8: Hardware stress fractures -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
On Sat, 23 Nov 2002 at 02:11:00PM +0100, Tore Nilsson wrote: > Hello! Greets. > Got this message sent to me by email from logcheck: > snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 Not a clue...sorry. > I also got this: > Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= > MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 > DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP > SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Someone from 200.214.189.168 tried to connect (SYN) to your machine on port 21 (FTP-Control) suggesting a TCP/IP Window size of 5 kb. It is up to the administrator to decide if this is acceptable activity. > Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= > MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 > DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP > SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 Same, except a different IP and a window size suggestion of 32 kb ttyl, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #8: Hardware stress fractures pgpgbWl97aWQB.pgp Description: PGP signature
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
On Sat, 23 Nov 2002 at 02:11:00PM +0100, Tore Nilsson wrote: > Hello! Greets. > Got this message sent to me by email from logcheck: > snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 Not a clue...sorry. > I also got this: > Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= > MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 > DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP > SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Someone from 200.214.189.168 tried to connect (SYN) to your machine on port 21 (FTP-Control) suggesting a TCP/IP Window size of 5 kb. It is up to the administrator to decide if this is acceptable activity. > Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= > MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 > DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP > SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 Same, except a different IP and a window size suggestion of 32 kb ttyl, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #8: Hardware stress fractures msg07911/pgp0.pgp Description: PGP signature