Snort mailing list archives
RE: Log entry
From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Tue, 26 Feb 2002 14:16:06 -0500
ID=38386 PROTO=ICMP TYPE=3 CODE=3
ICMP code 3 is a "Port Unreachable" message for closed UDP port.
aa.aa.aaa.aaa DST=(me)xxx.xxx.xxx.xxx LEN=78 TOS=0x00 PREC=0x00 TTL=112 ID=20908 PROTO=UDP SPT=1046 DPT=137 LEN=58 ]
I am not really familiar if iptables log format, but this looks like the IP header of the original message. - Jeff -----Original Message----- From: Scott Taylor [mailto:scottt () soccer com] Sent: Tuesday, February 26, 2002 1:07 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Log entry I was wondering if anyone could help me decipher this log entry. Or direct me to some place that could: Feb 26 08:13:09 GENESIS1 kernel: IN= OUT=eth0 SRC=(me)xxx.xxx.xxx.xxx DST=(outside) aa.aa.aaa.aaa LEN=106 TOS=0x00 PREC=0xC0 TTL=255 ID=38386 PROTO=ICMP TYPE=3 CODE=3 [SRC=(outside) aa.aa.aaa.aaa DST=(me)xxx.xxx.xxx.xxx LEN=78 TOS=0x00 PREC=0x00 TTL=112 ID=20908 PROTO=UDP SPT=1046 DPT=137 LEN=58 ] I'm using iptables. I know OUT=eth0 is where the packet got dropped SRC=(me) is my external if. DST=(outside) is someone else. Why is there a second set of SRC and DST? the braketed part? [SRC=(outside) DST=(me) PROTO is UDP and source port is 1046 destination port is 137] Now I know 137 is a window port. I guess I'm confused as to who generated the packet. Me or The outside IP, because the first source says it's me, and the second say's its the outside. Is this a spoofing type attack perhaps? Thanks for any input. Cheers, Scott. NOTE: I didn't post the IP's this time ;) THERE IS ONLY ONE... SOCCER.COM, The Center of the Soccer Universe http://www.soccer.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log entry Scott Taylor (Feb 26)
- <Possible follow-ups>
- RE: Log entry Wirth, Jeff (Feb 26)