OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Wirth, Jeff (WirthJeDNB.com)
Date: Tue Feb 26 2002 - 13:16:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > ID=38386 PROTO=ICMP TYPE=3 CODE=3

    ICMP code 3 is a "Port Unreachable" message for closed UDP port.

    > aa.aa.aaa.aaa DST=(me)xxx.xxx.xxx.xxx LEN=78
    > TOS=0x00 PREC=0x00 TTL=112 ID=20908 PROTO=UDP
    > SPT=1046 DPT=137 LEN=58 ]

    I am not really familiar if iptables log format, but this looks like the IP
    header of the original message.

    - Jeff

    -----Original Message-----
    From: Scott Taylor [mailto:scotttsoccer.com]
    Sent: Tuesday, February 26, 2002 1:07 PM
    To: snort-userslists.sourceforge.net
    Subject: [Snort-users] Log entry

    I was wondering if anyone could help me decipher
    this log entry. Or direct me to some place that
    could:

    Feb 26 08:13:09 GENESIS1 kernel: IN= OUT=eth0
    SRC=(me)xxx.xxx.xxx.xxx DST=(outside)
    aa.aa.aaa.aaa LEN=106 TOS=0x00 PREC=0xC0 TTL=255
    ID=38386 PROTO=ICMP TYPE=3 CODE=3 [SRC=(outside)
    aa.aa.aaa.aaa DST=(me)xxx.xxx.xxx.xxx LEN=78
    TOS=0x00 PREC=0x00 TTL=112 ID=20908 PROTO=UDP
    SPT=1046 DPT=137 LEN=58 ]

    I'm using iptables. I know OUT=eth0 is where the
    packet got dropped SRC=(me) is my external if.
    DST=(outside) is someone else. Why is there a
    second set of SRC and DST? the braketed part?
    [SRC=(outside) DST=(me) PROTO is UDP and source
    port is 1046 destination port is 137]

    Now I know 137 is a window port. I guess I'm
    confused as to who generated the packet. Me or
    The outside IP, because the first source says
    it's me, and the second say's its the outside.

    Is this a spoofing type attack perhaps?

    Thanks for any input.

    Cheers,
    Scott.
    NOTE: I didn't post the IP's this time ;)

    THERE IS ONLY ONE...
    SOCCER.COM, The Center of the Soccer Universe
    http://www.soccer.com

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users