Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Interesting packets

From: "Jeremy Junginger" <jjunginger () usbestcrm com>
Date: Mon, 16 Sep 2002 08:30:48 -0700
I've been tracing these packets for a while now, and am having a bit of
trouble deciphering what's happening.  It appears that this host is
attempting to contact an external host over udp port 8197 where the
firewall blocks it.  Interesting points are:

It looks like host x.x.x.4 is initiating a udp session with 68.60.32.5
over port 8197.  
We block this port with egress filtering at the firewall, as it is not a
dataflow we utilize in our production systems.  
Anybody deciphered similar alerts?


Generated by ACID v0.9.6b21 on Mon September 16, 2002 08:02:58

------------------------------------------------------------------------
------
#(1 - 8399) [2002-09-16 06:50:18]  ICMP Destination Unreachable
(Communication Administratively Prohibited)
IPv4: 68.60.32.249 -> x.x.x.4
      hlen=5 TOS=0 dlen=56 ID=2147 flags=0 offset=0 TTL=241 chksum=31000
ICMP: type=Destination Unreachable code=Packet Filtered
      checksum=42554 id= seq=
Payload:  length = 32

000 : 00 00 00 00 45 00 00 3D 78 26 00 00 70 11 8B 34   ....E..=x&..p..4
010 : AC 10 37 04 44 3C 20 05 0F 72 00 35 00 29 46 E8   ..7.D< ..r.5.)F.

Original IP information:  UDP x.x.x.4 x.xyz.com 17468 68.60.32.5
ns01.pntiac01.mi.comcast.net 8197 

-Jeremy


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: