OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Odd Firewall Entries
From: Ed Padin (epadinWAGWEB.COM)
Date: Mon Apr 24 2000 - 15:07:26 CDT

Well, I found a reference to IP protocol numbers here:
http://andrew2.andrew.cmu.edu/rfc/rfc1700.html

But I don't know what uses "NBMA Next Hop Resolution Protocol". Could it be
some VPN product? or do routers use this? Did you capture a dump of the
entire packet or just headers?

>-----Original Message-----
>From: Vincent Sweeney [mailto:v.sweeneyDEXTERUS.COM]
>Sent: Thursday, April 20, 2000 7:37 PM
>To: INCIDENTSSECURITYFOCUS.COM
>Subject: Odd Firewall Entries
>
>
>I have suddenly been receiving a lot of odd looking entries, like the
>examples pasted below, from a total of 4 IP addresses. Its
>directed at a
>very public facing Linux server which receives all the usual
>port scans and
>attempted exploits. However this is the 1st time I've seen
>anything like
>this (repeated non-standard protocol packets sent to the same
>server) and
>was wonder if anyone has seen the like before and / or knows
>any more info?
>
>Thanks,
> Vince.
>
>----
>
>Apr 19 11:13:47 kernel: Packet log: input DENY eth0 PROTO=54
>137.248.121.114:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
>F=0x0000 T=16
>O=0x00000494 (#17)
>
>Apr 19 23:41:45 kernel: Packet log: input DENY eth0 PROTO=54
>195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
>F=0x0000 T=22
>O=0x00000494 (#17)
>
>Apr 19 23:41:55 kernel: Packet log: input DENY eth0 PROTO=54
>195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
>F=0x0000 T=22
>O=0x00000494 (#17)
>