Security Incidents mailing list archives
Re: Invalid IP address
From: "Kerry Thompson" <kerry () crypt gen nz>
Date: Tue, 22 Oct 2002 15:35:15 +1300 (NZDT)
You seem to be correct, someone on 68.84.8.41 is trying to access various other sites. One thing that is confusing in the log entries is the port number (0) which is being reported. Cisco access lists log the entry as port 0 when you don't explicitly specify the port number in the access list, so an ACL like : access-list 100 deny ip 10.0.0.0 0.255.255.255 any log will create logs with port 0 as the port, however ACLs like : access-list 100 deny tcp 10.0.0.0 0.255.255.255 any range 0 65535 log access-list 100 deny udp 10.0.0.0 0.255.255.255 any range 0 65535 log access-list 100 deny ip 10.0.0.0 0.255.255.255 any log will log the port numbers and produce a more understandable output - ie. you will be able to see which port and know which service the device is attempting to connecting to. Kerry Steven Lee said:
I am seeing this on my router syslog after I applied an access list on the internal interface. Can anyone tell me what this could be? The 68.84.8.41 is a comcast IP that is active on the network; however, someone inside our network is attempting to use it to go out to other sites? Thanks for your help. l7.Info X.X.X.X 38644: .Oct 21 13:40:27: %SEC-6-IPACCESSLOGP: list 101 denied tcp 68.84.8.41(0) -> 67.34.160.17(0), 1 packet 2002-10-21 13:35:37 Local7.Info X.X.X.X 38645: .Oct 21 13:40:28: % SEC-6-IPACCESSLOGP: list 101 denied tcp 68.84.8.41(0) -> 217.121.116.154 (0), 1 packet
[snip] -- Kerry Thompson, CCNA CISSP Information Systems Security Consultant http://www.crypt.gen.nz kerry () crypt gen nz ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Invalid IP address Steven Lee (Oct 21)
- Re: Invalid IP address Kerry Thompson (Oct 21)
- Re: Invalid IP address David Pick (Oct 22)
- Re: Invalid IP address Dave Phelps (Oct 22)
- Re: Invalid IP address Jérôme Tytgat (Oct 23)
- Re: Invalid IP address Kerry Thompson (Oct 21)