Re: weird IP options.

[Andy Smith <andy () centralworks com>]

> From Cisco Universal CD:

Log Message %PIX-2-106012: Deny IP from IP_addr to IP_addr, IP options hex.

Explanation  - This a connection-related message. A IP packet was seen with
IP options.   Since IP  options are considered a security risk, the packet
was discarded.

Recommended Action -  A security breach was probably attempted. Check local
site for loose source or strict source routing.

Andy Smith
Centralworks LLC



esteban wrote:

> hi-
>
>  I am trying to find out what the following entries in my PIX log might
> be (IP's have been changed) to protect the innocent.
>
> 7/25/99,5:59:50 PM,10.254.254.246,pix.foo.com,LOCAL4,CRITICAL,%PI
> X-2-106012: Deny IP from 4.19.19.136 to 210.222.222.123, IP options
> 0x80350ce4
>
> 7/25/99,5:59:57 PM,10.254.254.246,pix.foo.com,LOCAL4,CRITICAL,%PI
> X-2-106012: Deny IP from 4.19.19.136 to 210.222.222.123, IP options
> 0x8030b6e4
>
> 7/25/99,6:00:08 PM,10.254.254.246,pix.foo.com,LOCAL4,CRITICAL,%PI
> X-2-106012: Deny IP from 4.19.19.136 to 210.222.222.123, IP options
> 0x80380814
>
> 7/25/99,6:06:07 PM,10.254.254.246,pix.foo.com,LOCAL4,CRITICAL,%PI
> X-2-106012: Deny IP from 4.19.19.136 to 210.222.222.123, IP options
> 0x802bf8c4
>
> 7/25/99,6:06:13 PM,10.254.254.246,pix.foo.com,LOCAL4,CRITICAL,%PI
> X-2-106012: Deny IP from 4.19.19.136 to 210.222.222.123, IP options
> 0x802b9e94
>
> These IP options don't seem to correspond to anything to which I can find
> reference. From what I can tell, the IP option here is of type 128? That
> would indicate that only the copy bit in the Type code octet is set.  Or
> maybe I am reading the number wrong.
>
> -esteban