I've been tracing these packets for a while now, and am having a bit of trouble deciphering what's happening. It appears that this host is attempting to contact an external host over udp port 8197 where the firewall blocks it. Interesting points are: It looks like host x.x.x.4 is initiating a udp session with 68.60.32.5 over port 8197. We block this port with egress filtering at the firewall, as it is not a dataflow we utilize in our production systems. Anybody deciphered similar alerts? Generated by ACID v0.9.6b21 on Mon September 16, 2002 08:02:58 ------------------------------------------------------------------------ ------ #(1 - 8399) [2002-09-16 06:50:18] ICMP Destination Unreachable (Communication Administratively Prohibited) IPv4: 68.60.32.249 -> x.x.x.4 hlen=5 TOS=0 dlen=56 ID=2147 flags=0 offset=0 TTL=241 chksum=31000 ICMP: type=Destination Unreachable code=Packet Filtered checksum=42554 id= seq= Payload: length = 32 000 : 00 00 00 00 45 00 00 3D 78 26 00 00 70 11 8B 34 ....E..=x&..p..4 010 : AC 10 37 04 44 3C 20 05 0F 72 00 35 00 29 46 E8 ..7.D< ..r.5.)F. Original IP information: UDP x.x.x.4 x.xyz.com 17468 68.60.32.5 ns01.pntiac01.mi.comcast.net 8197 -Jeremy ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 16 2002 - 23:38:22 PDT