NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SuSE Linux> 2001-q1

From: alastairduncans.screaming.net
Date: Mon Jan 15 2001 - 09:42:11 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

can anyone shed some light on to these firewall log entries and the
messages log entries

Jan 14 18:54:45 wolfman kernel: Packet log: input DENY
ppp0 PROTO=1 64.94.163.226:8 62.64.169.128:0 L=84 S=0x00 I=335 F=0x0000
T=50 (#131) Jan 14 18:54:45 wolfman kernel: Packet log: input DENY ppp0
PROTO=1 63.251.143.2:8 62.64.169.128:0 L=84 S=0x00 I=12076 F=0x0000 T=48
(#131) Jan 14 18:54:45 wolfman kernel: Packet log: input DENY ppp0 PROTO=1
216.52.125.38:8 62.64.169.128:0 L=84 S=0x00 I=34458 F=0x0000 T=50 (#131)
Jan 14 18:54:45 wolfman kernel: Packet log: input DENY ppp0 PROTO=1
216.52.248.222:8 62.64.169.128:0 L=84 S=0x00 I=49103 F=0x0000 T=49
(#131)Jan 14 18:54:45 wolfman kernel: Packet log: input DENY ppp0 PROTO=1
216.52.172.130:8 62.64.169.128:0 L=84 S=0x00 I=1370 F=0x0000 T=49 (#131)
Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1
216.52.85.194:8 62.64.169.128:0 L=84 S=0x00 I=29649 F=0x0000 T=49 (#131)
Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1
216.52.172.130:8 62.64.169.128:0 L=84 S=0x00 I=1520 F=0x0000 T=49 (#131)
Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1
63.251.143.2:8 62.64.169.128:0 L=84 S=0x00 I=12221 F=0x0000 T=48 (#131)
Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1
216.52.44.194:8 62.64.169.128:0 L=84 S=0x00 I=19612 F=0x0000 T=49 (#131)
Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1
216.52.153.130:8 62.64.169.128:0 L=84 S=0x00 I=14678 F=0x0000 T=49
(#131)Jan 14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1
64.94.163.226:8 62.64.169.128:0 L=84 S=0x00 I=474 F=0x0000 T=50 (#131) Jan
14 18:54:55 wolfman kernel: Packet log: input DENY ppp0 PROTO=1
209.155.224.130:8 62.64.169.128:0 L=84 S=0x00 I=20509 F=0x0000 T=40 (#131)

Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.85.194].3506
Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.153.130].3682
Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [64.94.163.226].3422
Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [209.155.224.130].2919
Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.44.194].1247
Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.172.130].3232
Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [63.251.143.2].25806
Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.248.222].2502
Jan 14 18:55:05 wolfman named[313]: refused query on non-query socket from [216.52.125.38].9795
Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.85.194].3506
Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.153.130].3682
Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [64.94.163.226].3422
Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.44.194].1247
Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [209.155.224.130].2919
Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [63.251.143.2].25806
Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.172.130].3232
Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.248.222].2502
Jan 14 18:55:15 wolfman named[313]: refused query on non-query socket from [216.52.125.38].9795

snort reports them as:
[**] IDS152/Ping BSDtype [**]
01/14-18:54:55.654396 216.52.172.130 -> 62.64.169.128
ICMP TTL:49 TOS:0x0 ID:1520
ID:22384 Seq:41651 ECHO

[**] IDS152/Ping BSDtype [**]
01/14-18:54:55.674371 63.251.143.2 -> 62.64.169.128
ICMP TTL:48 TOS:0x0 ID:12221
ID:4905 Seq:35450 ECHO

[**] IDS152/Ping BSDtype [**]
01/14-18:54:55.694383 216.52.44.194 -> 62.64.169.128
ICMP TTL:49 TOS:0x0 ID:19612
ID:414 Seq:35927 ECHO

[**] IDS152/Ping BSDtype [**]
01/14-18:54:55.764391 216.52.153.130 -> 62.64.169.128
ICMP TTL:49 TOS:0x0 ID:14678
ID:17873 Seq:51298 ECHO

[**] IDS152/Ping BSDtype [**]
01/14-18:54:55.784388 64.94.163.226 -> 62.64.169.128
ICMP TTL:50 TOS:0x0 ID:474
ID:19664 Seq:46591 ECHO

[**] IDS152/Ping BSDtype [**]
01/14-18:54:55.904389 209.155.224.130 -> 62.64.169.128
ICMP TTL:40 TOS:0x0 ID:20509
ID:23026 Seq:32632 ECHO

They usually follow the same format denials and then refusals and are
happening more frequently. The list of denials each time gets longer and
longer with more machines joining in. The name server that is running is
caching only for a small home network. SuSE 6.4 and the firwals package.

TIA

Alastair Duncan

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]