On Saturday 13 Sep 2003 11:48 am, Michael Adams wrote:
Can someone help me decipher this single log excerpt? The bits i
understand i have filled in. I was getting this exactly every half
minute. I have scanned the online shorewall docs but did not see how a
newbie can read the logs. I have also found that Port 500 is for ISAKMP
which means nothing to me.(Computing Dictionary Definition:
Internet Security Association and Key Management Protocol)
Is this identifiable as a particular worm/virus from this info? I have
not found one with this sig (googling).
Which one identifies the port hit on my firewall (SPT=) or (DPT=)? I
know they are the same in this instance.
Why a seperate source port and destination port (SPT= DPT=)?
Why two length (LEN=) statements?
###The log entry (my comments start with //)
##I have split it into readable chunks.
Sep 13 17:02:24 solid kernel:
// Date time host log-source
Shorewall:net2all:DROP:IN=ppp0
// Does net2all mean to all boxes behind the firewall?
No this tells you the shorewall 'rule' which dropped the packet.
'net2all' is the 'catchall' rule which stops any packet from the Internet
getting through the firewall unless there is another rule explicitly allowing
it.
OUT= MAC=
// OUT=??? MAC= ethernet card adresses
SRC=203.79.82.168 DST=203.79.67.151
// SRC=Someone else on my ISP. DST=My machine (I confirmed this)
SRC (source) is the IP address of whoever sent you the packet. (not
necessarily on the same ISP as you) In a Denial of Service attack this
address could be 'spoofed' to mislead you.
DST (destination) is your IP address.
LEN=29 TOS=0x00 PREC=0x00 TTL=58 ID=31755
// ???
The packet was 29 bytes long. Its 'Type of Service' header was not defined.
I forhet what PREC is. Its 'Time to live' is 58 msecs so if it went through
a network route longer than that it would be dropped before reaching you.
The packet IDentification number is 31755
PROTO=UDP
// UDP i sort of understand is an alternative to TCP
The protocol is UDP which is a broadcasting protocol used for things like
streaming where acknowlegements are not required
SPT=500 DPT=500 LEN=9
// Source Port, Destination Port, LEN ???
The application that sent the packet was using port 500 on the remote machine.
It is trying to connect to an application using port 500 on your machine.
This is how the interface knows which application a packet is for.
A quick Google tells me that port 500 is used by VPN services for key
exchange. If you use this box for a VPN service that could explain all the
hits.
#End log entry
I am not aware of any particular worm/virus using this port.
The good news is that shorewall is stopping the packets and you are perfectly
safe. Its the packets that get through you have to worry about :-)
HTH
derek
--
www.jennings.homelinux.net
Get urpmi sources from
http://plf.zarb.org/~nanardon/urpmiweb.php
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
