Firewall Wizards mailing list archives
Re: weird IP options.
From: Andy Smith <andy () centralworks com>
Date: Tue, 27 Jul 1999 18:48:28 -0700
From Cisco Universal CD:
Log Message %PIX-2-106012: Deny IP from IP_addr to IP_addr, IP options hex. Explanation - This a connection-related message. A IP packet was seen with IP options. Since IP options are considered a security risk, the packet was discarded. Recommended Action - A security breach was probably attempted. Check local site for loose source or strict source routing. Andy Smith Centralworks LLC esteban wrote:
hi- I am trying to find out what the following entries in my PIX log might be (IP's have been changed) to protect the innocent. 7/25/99,5:59:50 PM,10.254.254.246,pix.foo.com,LOCAL4,CRITICAL,%PI X-2-106012: Deny IP from 4.19.19.136 to 210.222.222.123, IP options 0x80350ce4 7/25/99,5:59:57 PM,10.254.254.246,pix.foo.com,LOCAL4,CRITICAL,%PI X-2-106012: Deny IP from 4.19.19.136 to 210.222.222.123, IP options 0x8030b6e4 7/25/99,6:00:08 PM,10.254.254.246,pix.foo.com,LOCAL4,CRITICAL,%PI X-2-106012: Deny IP from 4.19.19.136 to 210.222.222.123, IP options 0x80380814 7/25/99,6:06:07 PM,10.254.254.246,pix.foo.com,LOCAL4,CRITICAL,%PI X-2-106012: Deny IP from 4.19.19.136 to 210.222.222.123, IP options 0x802bf8c4 7/25/99,6:06:13 PM,10.254.254.246,pix.foo.com,LOCAL4,CRITICAL,%PI X-2-106012: Deny IP from 4.19.19.136 to 210.222.222.123, IP options 0x802b9e94 These IP options don't seem to correspond to anything to which I can find reference. From what I can tell, the IP option here is of type 128? That would indicate that only the copy bit in the Type code octet is set. Or maybe I am reading the number wrong. -esteban
Current thread:
- weird IP options. esteban (Jul 27)
- Re: weird IP options. Ge' Weijers (Jul 27)
- Re: weird IP options. Andy Smith (Jul 29)