From: Geffrey Velasquez <g_netfilter@netfids.com>
To: Ramin Dousti <ramin@cannon.eng.us.uu.net>
Cc: netfilter@lists.netfilter.org
Subject: Re[2]: Source and Destination port 0
Date: Tue, 15 Jul 2003 14:16:08 -0500 [thread overview]
Message-ID: <391677265.20030715141608@netfids.com> (raw)
In-Reply-To: <20030715175713.GF24604@cannon.eng.us.uu.net>
More detail:
RD> If the FORWARD chain is not blocking these faulty packets it might mean
RD> that the packets are being generated on the firewall itself.
Maybe, but in this suposed case, my firewall had to be compromised,
It has installed tripwire and.. I don't see signs of intrussion.
RD> Try to block
RD> them on the OUTPUT chain as well and see what happens.
I put the rules also in the OUTPUT chain, and I still continue getting
the packets
RD> The next step would
RD> be to figure out why you get them.
Its a sample of the snort logs, the destination IP is an internal
NATed IP address, maybe source IP is spoffed:
[**] [116:56:1] (snort_decoder): T/TCP Detected [**]
07/15-13:46:24.988459 216.136.173.130:0 -> . . . :0
TCP TTL:52 TOS:0x0 ID:59827 IpLen:20 DgmLen:68 DF
******S* Seq: 0x65FF5C67 Ack: 0x0 Win: 0xFFFF TcpLen: 48
[**] [116:56:1] (snort_decoder): T/TCP Detected [**]
07/15-13:47:20.446750 66.163.169.17:0 -> . . . :0
TCP TTL:51 TOS:0x0 ID:32453 IpLen:20 DgmLen:68 DF
******S* Seq: 0xFE485E60 Ack: 0x0 Win: 0xFFFF TcpLen: 48
I will continue investigating, but someone could give me
recommendations?
Regards,
Geffrey
RD> Ramin
RD> On Tue, Jul 15, 2003 at 12:16:44PM -0500, Geffrey Velasquez wrote:
>> Hello Friends,
>>
>> I have in my IDS logs packets comming from outside to DMZ servers with
>> source port 0 and destination port 0.
>>
>> The IDS is located in the DMZ network, and I have an iptables
>> firewall, kernel-2.4.18-26.1.99_kb2c.1foo over RH 8 (that is the
>> kernel with superfreeswan patches).
>>
>> I tried with this couple of rules on top of FORWARD chain:
>>
>> $IPT -A FORWARD -p tcp --sport 0 -j LOG --log-prefix "Zero: "
>> $IPT -A FORWARD -p tcp --sport 0 -j DROP
>>
>> also:
>>
>> $IPT -A FORWARD -p tcp --sport 0 --dport 0 -j LOG --log-prefix "Cero: "
>> $IPT -A FORWARD -p tcp --sport 0 --dport 0 -j DROP
>>
>> After that I continue viewing the bad packets on IDS, how could I
>> filter this kind of packets?
>>
>>
>> --
>> Best regards,
>> Geffrey mailto:g_netfilter@netfids.com
>>
next prev parent reply other threads:[~2003-07-15 19:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-15 17:16 Source and Destination port 0 Geffrey Velasquez
2003-07-15 17:57 ` Ramin Dousti
2003-07-15 19:16 ` Geffrey Velasquez [this message]
2003-07-15 19:29 ` Ramin Dousti
-- strict thread matches above, loose matches on Subject: below --
2003-07-15 19:36 Daniel Chemko
2003-07-15 19:51 ` Ramin Dousti
2003-07-15 20:04 ` Re[2]: " Geffrey Velasquez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=391677265.20030715141608@netfids.com \
--to=g_netfilter@netfids.com \
--cc=netfilter@lists.netfilter.org \
--cc=ramin@cannon.eng.us.uu.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.