I've been tracing these packets for a while now, and am having a bit of
trouble deciphering what's happening. It appears that this host is
attempting to contact an external host over udp port 8197 where the
firewall blocks it. Interesting points are:
It looks like host x.x.x.4 is initiating a udp session with 68.60.32.5
over port 8197.
We block this port with egress filtering at the firewall, as it is not a
dataflow we utilize in our production systems.
Anybody deciphered similar alerts?
Generated by ACID v0.9.6b21 on Mon September 16, 2002 08:02:58
------------------------------------------------------------------------
------
#(1 - 8399) [2002-09-16 06:50:18] ICMP Destination Unreachable
(Communication Administratively Prohibited)
IPv4: 68.60.32.249 -> x.x.x.4
hlen=5 TOS=0 dlen=56 ID=2147 flags=0 offset=0 TTL=241 chksum=31000
ICMP: type=Destination Unreachable code=Packet Filtered
checksum=42554 id= seq=
Payload: length = 32
000 : 00 00 00 00 45 00 00 3D 78 26 00 00 70 11 8B 34 ....E..=x&..p..4
010 : AC 10 37 04 44 3C 20 05 0F 72 00 35 00 29 46 E8 ..7.D< ..r.5.)F.
Original IP information: UDP x.x.x.4 x.xyz.com 17468 68.60.32.5
ns01.pntiac01.mi.comcast.net 8197
-Jeremy
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 16 2002 - 23:38:22 PDT