Re: Invalid IP address

[David Pick <d.m.pick () qmul ac uk>]

> You seem to be correct, someone on 68.84.8.41 is trying to access various
> other sites. One thing that is confusing in the log entries is the port
> number (0) which is being reported. Cisco access lists log the entry as
> port 0 when you don't explicitly specify the port number in the access
> list, so an ACL like :
>
> access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
>
> will create logs with port 0 as the port, however ACLs like :
>
> access-list 100 deny tcp 10.0.0.0 0.255.255.255 any range 0 65535 log
> access-list 100 deny udp 10.0.0.0 0.255.255.255 any range 0 65535 log
> access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
>
> will log the port numbers and produce a more understandable output - ie.

To be more precise, several releases of IOS logged port 0 when
the log entry was produced by an access-list entry that did
not check the port number ***and no previous entry had checked
the port number*** so the port number had never actually been
extracted from the packet. An ACL entry that did not specify
a port number but caused a log event got it right if a previous
entry in the ACL had checked the port number.

The example above is correct but, depending on the individual
lists concerned, not necessarily necessary.

I'm sorry, I can't recall which version numbers were relevant.

-- 
        David Pick


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com