Vulnerability Development mailing list archives
Firewall-1 Logging *Issue*
From: frantzen () EXPERT CC PURDUE EDU (Mike Frantzen)
Date: Thu, 13 Jan 2000 22:32:58 -0500
Since BB wants some list traffic and I don't want to do math homework, here goes. While dinking with an eval version of Firewall-1 4.0 last summer, I ran across an 'oddity' in the logging. Brief backround: Ultra 2 w/ dual 200mhz Solaris 2.6 w/ recommend cluster (As of last summer) Firewall-1 4.0 (right off the CD, no patches) - Allow outgoing DNS and Telnet - Drop everything else Using a tool of mine (http://expert.cc.purdue.edu/~frantzen/isic-0.04.tgz) that was hurling around 3,000 tcp packets through the firewall. The destination IP and ports were randomized but the source IP (source port, tcp flags, ip/tcp options, the works, all randomized for every packet) Now while watching the logs grow (really really fast), I saw that the source IP was being diddled on. For a few seconds of traffic, the source IP was losing the high bit. Ie, a 132.3.2.1 would become a 4.3.2.1. The next few thousand packets would also have the wrong source IP. After a few seconds and a few thousand packets, the source IP would be reported correctly in the log viewer. Waiting awhile longer and it would drop the MSB again. Rinse, lather, and repeat. Best guess is that the IP is being stored in an unsigned int and it gets converted to a signed in and back to an unsigned somewhere. I personally feel that the occurs in the log condensing hash table but I couldn't reliably reproduce it. Note: little endian machines (x86) will show the affects differently. Shit, I guess this means I have to do math homework now. Bah later, .mike
Current thread:
- Administrivia #4883 Blue Boar (Jan 13)
- Re: Administrivia #4883 Marc (Jan 13)
- Re: Administrivia #4883 Travis Siegel (Jan 13)
- [Fwd: Administrivia #4883] Blue Boar (Jan 13)
- Firewall-1 Logging *Issue* Mike Frantzen (Jan 13)
- Re: Firewall-1 Logging *Issue* Blue Boar (Jan 13)
- Re: Administrivia #4883 nascheme () ENME UCALGARY CA (Jan 14)
- Secure coding in C (was Re: Administrivia #4883) Bennett Todd (Jan 14)
- Re: Secure coding in C (was Re: Administrivia #4883) Marco Walther (Jan 14)
- Re: Secure coding in C (was Re: Administrivia #4883) Bennett Todd (Jan 14)
- Re: Secure coding in C (was Re: Administrivia #4883) Liviu Daia (Jan 14)
- Re: Secure coding in C (was Re: Administrivia #4883) spin0ff (Jan 16)
- ICQ >= 99* + CC Data (Was: Re: Administrivia #4883) Ken Williams (Jan 16)
- Re: ICQ >= 99* + CC Data Vanja Hrustic (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) Liviu Daia (Jan 16)
- Secure coding in C (was Re: Administrivia #4883) Bennett Todd (Jan 14)
- Re: Administrivia #4883 Marc (Jan 13)