* psd match false positives?
@ 2005-10-03 14:15 afshin lamei
0 siblings, 0 replies; only message in thread
From: afshin lamei @ 2005-10-03 14:15 UTC (permalink / raw)
To: netfilter
hi all,
I am using the "port scan match" with its default values, my rules are like
this:
iptables -A INPUT -m psd -j LOG --log-prefix "port scan:" // log the port
scan
iptables -A INPUT -m psd -j DROP // Drop it silently
one of my DNS servers is 4.2.2.4 <http://4.2.2.4> , and I'm seeing these
logs, which say the 4.2.2.4 <http://4.2.2.4> is port scanning my box
(external interface: 192.168.100.151 <http://192.168.100.151>) !!
Oct 3 17:23:35 kernel: Port scan:IN=eth0 OUT= SRC=4.2.2.4 <http://4.2.2.4>DST=
192.168.100.151 <http://192.168.100.151> LEN=8 PROTO=UDP SPT=53 DPT=32769
Oct 3 17:23:35 kernel: Port scan:IN=eth0 OUT= SRC=4.2.2.4 <http://4.2.2.4>DST=
192.168.100.151 <http://192.168.100.151> LEN=1 PROTO=UDP SPT=53 DPT=32761
Oct 3 17:23:35 kernel: Port scan:IN=eth0 OUT= SRC=4.2.2.4 <http://4.2.2.4>DST=
192.168.100.151 <http://192.168.100.151> LEN=1 PROTO=UDP SPT=53 DPT=32773
Oct 3 17:23:35 kernel: Port scan:IN=eth0 OUT= SRC=4.2.2.4 <http://4.2.2.4>DST=
192.168.100.151 <http://192.168.100.151> LEN=1 PROTO=UDP SPT=53 DPT=32775
Oct 3 17:23:35 kernel: Port scan:IN=eth0 OUT= SRC=4.2.2.4 <http://4.2.2.4>DST=
192.168.100.151 <http://192.168.100.151> LEN=1 PROTO=UDP SPT=53 DPT=32780
It seems to be a false positive, isn't it? if so, dropping them will cause
problems, so what should i do?
regards,
afshin
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2005-10-03 14:15 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-03 14:15 psd match false positives? afshin lamei
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.