Honeypots mailing list archives
Re: Log help [resend]
From: paul <xml () mailandnews com>
Date: 17 Mar 2003 15:49:44 +0000
[resent since it didn't get through first time] Rhett wrote:
"How" is this traffic coming through my firewall. I'm not allowing port 43545 into this device. This device shouldn't be trying to get to any web pages, and I'm not seeing the SYN packet attempt on the way out.
I installed honeyd a few days ago and probably came across the same issue. What's happening is the syn to port 80 comes in and is sniffed by honeyd's calls to libpcap. Then it sends a syn ack back to the source, which has the unintended consequence of opening up a hole in a stateful firewall (iptables in my case). Then the next packet comes in, is replied to by honeyd, but is also passed through your firewall to the destination, which doesn't know about the connection, so resets it.
Also what do the characters after the port number mean? I believe the number is the time the "connection" was used, but is that in seconds? What do the last charaters mean SA RA? Why does that differ from this entry?
syn+ack, reset+ack Looking at the source, " S " and " E " are the start and end of a flow that it is handling, whereas " - " are packets it isn't handling, but just logging. To solve the problem, you need to drop all incoming traffic so that it can't be accepted even if it's in the state table. If you're using iptables and have no legitimate web servers, then you could just insert a iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j DROP You might also like to read this, for more info: http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html Paul
Current thread:
- Re: Log help [resend] paul (Mar 17)