> You seem to be correct, someone on 68.84.8.41 is trying to access various > other sites. One thing that is confusing in the log entries is the port > number (0) which is being reported. Cisco access lists log the entry as > port 0 when you don't explicitly specify the port number in the access > list, so an ACL like : > > access-list 100 deny ip 10.0.0.0 0.255.255.255 any log > > will create logs with port 0 as the port, however ACLs like : > > access-list 100 deny tcp 10.0.0.0 0.255.255.255 any range 0 65535 log > access-list 100 deny udp 10.0.0.0 0.255.255.255 any range 0 65535 log > access-list 100 deny ip 10.0.0.0 0.255.255.255 any log > > will log the port numbers and produce a more understandable output - ie. To be more precise, several releases of IOS logged port 0 when the log entry was produced by an access-list entry that did not check the port number ***and no previous entry had checked the port number*** so the port number had never actually been extracted from the packet. An ACL entry that did not specify a port number but caused a log event got it right if a previous entry in the ACL had checked the port number. The example above is correct but, depending on the individual lists concerned, not necessarily necessary. I'm sorry, I can't recall which version numbers were relevant. -- David Pick ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 16:18:12 PDT