RE: Odd entries in my Security Router logs

From: Julian Young (julian.youngat_private)
Date: Tue Dec 10 2002 - 03:28:45 PST

Next message: Chris Gordon: "RE: EBay Fraud Attempt"

Previous message: Stephen J. Friedl: "Re: EBay Fraud Attempt"
In reply to: Jim Terry: "RE: Odd entries in my Security Router logs"
Next in thread: Andrews, Jonathan (US - Hermitage): "RE: Odd entries in my Security Router logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The router is performing NAT and statefull packet inspection only.

Currently it had no wan-> lan input channels. and no further ACL
defined. It's sole purpose is to relieve the fire wall of DHCP duty.

Although it seems to clean up a lot more that that at the moment

Both are on a 255.255.255.0 net mask 



On Tue, 2002-12-10 at 11:22, Jim Terry wrote:
> 
> 
> Hi Julian,
> 
> Can you post some of the router config- namely what logg commands, are you logging on your ACLs, and if you are logging on the ACLs can you post the ACL?
> 
> Thanks,
> 
> JT
> 
> 
> Jim Terry --- On Mon 12/09, Julian Young  wrote:From: Julian Young [mailto: julian.youngat_private]To: incidentsat_private: 09 Dec 2002 10:37:47 +0100Subject: Odd entries in my Security Router logsI keep seeing these entry in my external routers log files.  Does any
> one recognize theme and know what type of attack they are. ok is
> obviously something to do with DHCP.   but i recently had  a firewall 
> compromised  and i still don't know how.  since that wall had dhcp open
> I wounder if this could have been the trick. 
> 
> I has left the ip number as they are since none of them belong to me or
> in any range i use ! 
> 
> #   Time        Packet Information                             
> Reason            Action
>   1|Dec  8 02 |From:192.168.7.249   To:192.168.255.254 |match          
> |block  
>    | 09:37:12 |UDP     src port:00068 dest port:00067  |service deny   
> |      
>   2|Dec  8 02 |From:192.168.8.250   To:192.168.255.254 |match          
> |block  
>    | 09:37:12 |UDP     src port:00068 dest port:00067  |service deny   
> |      
>   3|Dec  8 02 |From:192.168.7.249   To:192.168.255.254 |match          
> |block  
>    | 15:45:32 |UDP     src port:00068 dest port:00067  |service deny   
> |      
> 
> 
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 
> 
> _______________________________________________
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chris Gordon: "RE: EBay Fraud Attempt"
Previous message: Stephen J. Friedl: "Re: EBay Fraud Attempt"
In reply to: Jim Terry: "RE: Odd entries in my Security Router logs"
Next in thread: Andrews, Jonathan (US - Hermitage): "RE: Odd entries in my Security Router logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 10:31:16 PST