Ahh that was the problem.. linux and BSD use different versions of netstat and i didnt think of that when i was positing to the list. BTW Im using FreeBSD just thought you should know. Sorry for all the confusion. this just goes for to show how similar yet different versions of OS's use slightley different things. Craig
On Mon, Jan 21, 2002 at 01:51:05PM -0600, shawn merdinger wrote: > Some of the confusion may be coming from the OSs. I was assuming Linux. > > version: > > cartago:/home/shawn# netstat -V > net-tools 1.60 > netstat 1.42 (2001-04-15) > Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang and > others > +NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE +I18N > AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE > HW: +ETHER +ARC +SLIP +PPP +TUNNEL +TR +AX25 +NETROM +X25 +FR +ROSE +ASH > +SIT +FDDI +HIPPI +HDLC/LAPB > > Windows netstat -p is for the protocol. > > heh heh...I'm sure we'll get through this one way or another. :) > > -scm > > > On Mon, 21 Jan 2002, Craig Van Tassle wrote: > > > > > Scm I have looked up the netstat man page. > > <snip from man netstat> > > -f address_family, -p protocol > > Limit display to those records of the specified address_family or a > > single protocol. The following address families and protocols are > > recognized: > > </snip from man netstat> > > If that is what it says on your system then we are using 2 different versions of > > netstat. The -p option as you can see is the protocol not the program binded to >the socket. > > I have found that the lsof program actually was much better for tracking down what >(as it turned out to be noting just grabbed by my firewall and snort system) > > was using that port and addy on my computer. > > > > Thanks for the information. > > > > Criag > > > > On Mon, Jan 21, 2002 at 01:34:02PM -0600, shawn merdinger wrote: > > > Without resorting to a flame, the "p" option stands for the following: > > > > > > -p, --programs display PID/Program name for sockets > > > > > > So, it's the program that is bound to the socket. > > > > > > -scm > > > > > > > > > On Mon, 21 Jan 2002, leon wrote: > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > > > > > > That is not true. P stands for proto not port. > > > > > > > > - -p proto Shows connections for the protocol specified by proto; > > > > proto > > > > may be any of: TCP, UDP, TCPv6, or UDPv6. If used with > > > > the -s > > > > option to display per-protocol statistics, proto may be > > > > any of: > > > > IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. > > > > > > > > It has nothing to do with ports. Please DO NOT GIVE ADVICE ON THE > > > > LIST IF YOU ARE NOT SURE OF WHAT YOU ARE SAYING. > > > > > > > > Cheers, > > > > > > > > Leon > > > > > > > > - -----Original Message----- > > > > From: shawn merdinger [mailto:[EMAIL PROTECTED]] > > > > Sent: Friday, January 18, 2002 8:45 PM > > > > Cc: Craig Van Tassle; secuirty-basics > > > > Subject: Re: loopback device > > > > > > > > Also, try the following: > > > > > > > > netstat -anp > > > > > > > > The p option displays the program bound to that socket/port. > > > > > > > > >From the looks of your snort log, it did not *appear* to be a > > > > >loopback > > > > address. > > > > > > > > - -scm > > > > > > > > > > > > > On 15-Jan-2002 Craig Van Tassle wrote: > > > > > > My loop back is supposed to be 127.0.0.1.. at least that is what > > > > > > my ifconfig shows me.. and i have no idea what program is > > > > > > running on that port. Do you think that i could have a possible > > > > > > intrusin? > > > > > > > > > > > > Thanks > > > > > > Craig > > > > > > > > > > > > On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: > > > > > >> No, you can't bypass the firewall using the loopback interface. > > > > > >> Whats interesting though is the IP address they're using... > > > > > >> usually loopback is 127.0.0.1 and the port number, 5460 isn't > > > > > >> assigned to anyone so what program is running? > > > > > >> > > > > > >> -----Original Message----- > > > > > >> From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] > > > > > >> Sent: Monday, January 14, 2002 8:48 AM > > > > > >> To: secuirty-basics > > > > > >> Subject: loopback device > > > > > >> > > > > > >> > > > > > >> Is it possible for someone over a network to use my loopback to > > > > > >> by pass my firewall? If so what can i do to mitigate the > > > > > >> problem and how damageing can it be? > > > > > >> > > > > > >> The reason im asking is my Snort sytem is showing badd loopback > > > > > >> traffic.. thanks > > > > > >> > > > > > >> here is a snipit from my snort logs. > > > > > >> > > > > > >> [**] [1:528:2] BAD TRAFFIC loopback traffic [**] > > > > > >> [Classification: Potentially Bad Traffic] [Priority: 2] > > > > > >> 01/12-14:10:11.568007 45.253.14.97:49847 -> 127.167.228.85:5460 > > > > > >> TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 > > > > > >> ******S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 > > > > > >> > > > > > >> Thanks > > > > > >> Craig > > > > > >> > > > > > >> > > > > > > > > > > - -- > > > > > Phillip O'Donnell > > > > > Software Engineer, Esphion Limited > > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > > Version: PGP 6.5.1i > > > > > > > > > > iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g > > > > > Ky+CD/KuL2KCESveLJw30Gb1 > > > > > =VjXg > > > > > -----END PGP SIGNATURE----- > > > > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> > > > > > > > > iQA/AwUBPExZDdqAgf0xoaEuEQK/AwCgrV/Qlvx1IWJAZTd3Nj8GZv1naOgAnREV > > > > KVGYnYIsKnsMNF+zyt4M76cB > > > > =jg5K > > > > -----END PGP SIGNATURE----- > > > > > > > > > >
