Hi Am 23.03.2020 um 15:44 schrieb Vieri Di Paola: > On Mon, Mar 23, 2020 at 2:03 PM Erich Titl <erich.t...@think.ch> wrote: >> >>>>> IN=ppp3 OUT= MAC= SRC=1.2.3.4 DST=4.3.2.1 LEN=72 TOS=0x00 PREC=0x00 >>>>> TTL=48 ID=46761 DF PROTO=UDP SPT=41152 DPT=58129 LEN=52 MARK=0x3 >>>>> >> ... >> >>> >>> >>>>> The user has no idea what this UDP connection is for, and I haven't >>>>> found any program using this port (58129 is supposed to be in the >>>>> dynamic range). >>>> >> >> You could set up a honeypot if it is always the same port or the same host. > > Both the SRC host and the port differ. Here's another recent example: > > IN=ppp3 OUT= MAC= SRC=2.1.3.4 DST=4.3.2.1.168 LEN=72 TOS=0x00 > PREC=0x00 TTL=62 ID=3049 DF PROTO=UDP SPT=42001 DPT=39958 LEN=52 > MARK=0x3 > > I don't know why I'm getting this traffic from supposedly "clean" > hosts (no apparent threats).
Maybe just blindly probing your firewall. Are you using incoming UDP for anything? If not you could probably use this as a differenciator. > > BTW if it were always on one port, would I "simply" need to > TARPIT(honeypot) that port and then run something like tcpdump on the > Shorewall box and on the port in question? > If that were true then which interface should tcpdump use? In my > examples above, should it be ppp3? I would set up an isolated system and redirect the respective traffic there for analysis. But that is just an unproven idea. cheers ET
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users