OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [suse-security] SuSEfirewall2 Logging Question

From: C. E. Brooks (charles.brooksswgsys.com)
Date: Tue Dec 09 2003 - 18:55:13 CST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The data in the "[]" is from the IP packet that ICMP is
reporting. The brackets are used to distinguish the reported
SRC/DST from those of the ICMP packet itself.

In this case the type code of "0" means that the report is
an "echo reply". That is the normal result of executing
"ping".

The ICMP messages report SRC/DST IP addresses that
are copied from the IP packet that caused the ICMP packet
to be generated.

See RFC792 at URL http://www.ietf.org/rfc/rfc0792.txt

Yours,

Charles

/ceb\

- From RFC792 :

   " ... Occasionally a
   gateway or destination host will communicate with a source host, for
   example, to report an error in datagram processing. For such
   purposes this protocol, the Internet Control Message Protocol (ICMP),
   is used. ICMP, uses the basic support of IP as if it were a higher
   level protocol, however, ICMP is actually an integral part of IP, and
   must be implemented by every IP module.

   ICMP messages are sent in several situations: for example, when a
   datagram cannot reach its destination, when the gateway does not have
   the buffering capacity to forward a datagram, and when the gateway
   can direct the host to send traffic on a shorter route.

   The Internet Protocol is not designed to be absolutely reliable. The
   purpose of these control messages is to provide feedback about
   problems in the communication environment, not to make IP reliable.
   There are still no guarantees that a datagram will be delivered or a
   control message will be returned. Some datagrams may still be
   undelivered without any report of their loss. The higher level
   protocols that use IP must implement their own reliability procedures
   if reliable communication is required.

   The ICMP messages typically report errors in the processing of
   datagrams. To avoid the infinite regress of messages about messages
   etc., no ICMP messages are sent about ICMP messages. Also ICMP
   messages are only sent about errors in handling fragment zero of
   fragemented datagrams. (Fragment zero has the fragment offeset equal
   zero). "

> I am getting the following logs from a SuSEfirewall2:
>
> Dec 7 23:01:58 mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT=
> MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220
> DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29751 DF
> PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=60
> TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ] Dec 7 23:01:58
> mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT=
> MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220
> DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29755 DF
> PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=111
> TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ] Dec 7 23:02:02
> mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT=
> MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220
> DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29843 DF
> PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=72
> TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ]
>
> My questions are:
>
> Why is the MAC address what appears to be 2 MAC addresses concatenated
> together? Why is there SRC and DST inside [] and why are they different
> from the other IPs mentioned? This system's IP address is 192.168.100.242,
> which appears as the DST in the non-[] text, but is the SRC in the test
> inside the []. What gives?
>
> Any comments are most welcome.
>
> Grant
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/1m7yu6hVDKPW4HMRAkh7AJ0Yfv2ENHKc+T7ucb5B1YH4geZuBgCcDcYT
a1Kr0H9g10ZwFtgxzm2iKR4=
=XhW3
-----END PGP SIGNATURE-----

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here