Security Incidents mailing list archives
Re: Invalid IP address
From: David Pick <d.m.pick () qmul ac uk>
Date: Tue, 22 Oct 2002 08:14:10 +0100
You seem to be correct, someone on 68.84.8.41 is trying to access various other sites. One thing that is confusing in the log entries is the port number (0) which is being reported. Cisco access lists log the entry as port 0 when you don't explicitly specify the port number in the access list, so an ACL like : access-list 100 deny ip 10.0.0.0 0.255.255.255 any log will create logs with port 0 as the port, however ACLs like : access-list 100 deny tcp 10.0.0.0 0.255.255.255 any range 0 65535 log access-list 100 deny udp 10.0.0.0 0.255.255.255 any range 0 65535 log access-list 100 deny ip 10.0.0.0 0.255.255.255 any log will log the port numbers and produce a more understandable output - ie.
To be more precise, several releases of IOS logged port 0 when the log entry was produced by an access-list entry that did not check the port number ***and no previous entry had checked the port number*** so the port number had never actually been extracted from the packet. An ACL entry that did not specify a port number but caused a log event got it right if a previous entry in the ACL had checked the port number. The example above is correct but, depending on the individual lists concerned, not necessarily necessary. I'm sorry, I can't recall which version numbers were relevant. -- David Pick ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Invalid IP address Steven Lee (Oct 21)
- Re: Invalid IP address Kerry Thompson (Oct 21)
- Re: Invalid IP address David Pick (Oct 22)
- Re: Invalid IP address Dave Phelps (Oct 22)
- Re: Invalid IP address Jérôme Tytgat (Oct 23)
- Re: Invalid IP address Kerry Thompson (Oct 21)