I can also be a real port 0 As Hping produce it by default... It's a good feature as a lot of filtering router/firewall badly configured allow port 0 going thru... ----- Original Message ----- From: "Dave Phelps" <tippenringat_private> To: <incidentsat_private> Sent: Tuesday, October 22, 2002 8:20 AM Subject: Re: Invalid IP address > "A log entry with port 0 means that the router didn't need to inspect the > port number to allow [or deny] the traffic, such as with the following: > > access-list 100 permit any any established log" > > -- > Credit: Francois Labreque, comp.dcom.sys.cisco - 11/09/2000 > > ----- Original Message ----- > From: "Steven Lee" <idsforensicat_private> > To: <incidentsat_private> > Sent: Monday, October 21, 2002 3:05 PM > Subject: Invalid IP address > > > | > | > | I am seeing this on my router syslog after I applied an access list on the > | internal interface. Can anyone tell me what this could be? The 68.84.8.41 > | is a comcast IP that is active on the network; however, someone inside our > | network is attempting to use it to go out to other sites? Thanks for your > | help. > | > | l7.Info X.X.X.X 38644: .Oct 21 13:40:27: %SEC-6-IPACCESSLOGP: list 101 > | denied tcp 68.84.8.41(0) -> 67.34.160.17(0), 1 packet > | 2002-10-21 13:35:37 Local7.Info X.X.X.X 38645: .Oct 21 13:40:28: % > | SEC-6-IPACCESSLOGP: list 101 denied tcp 68.84.8.41(0) -> 217.121.116.154 > | (0), 1 packet > | 2002-10-21 13:35:38 Local7.Info X.X.X.X 38646: .Oct 21 13:40:29: % > | SEC-6-IPACCESSLOGP: list 101 denied tcp 68.84.8.41(0) -> 141.156.130.147 > | (0), 1 packet > | 2002-10-21 13:35:39 Local7.Info X.X.X.X 38647: .Oct 21 13:40:30: % > | SEC-6-IPACCESSLOGP: list 101 denied tcp 68.84.8.41(0) -> 68.9.184.233(0), > | 2 packets > | 2002-10-21 13:35:40 Local7.Info X.X.X.X 38648: .Oct 21 13:40:32: % > | SEC-6-IPACCESSLOGP: list 101 denied tcp 68.84.8.41(0) -> 24.203.121.105 > | (0), 1 packet > | 2002-10-21 13:35:41 Local7.Info X.X.X.X 38649: .Oct 21 13:40:33: % > | SEC-6-IPACCESSLOGP: list 101 denied tcp 68.84.8.41(0) -> 67.82.63.49(0), 1 > | packet > | > | -------------------------------------------------------------------------- > -- > | This list is provided by the SecurityFocus ARIS analyzer service. > | For more information on this free incident handling, management > | and tracking system please see: http://aris.securityfocus.com > | > | > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 17:06:10 PDT