Truncated firewall log entries.
This is a discussion on Truncated firewall log entries. within the Linux Security forums, part of the System Security and Security Related category; I was just checking my firewall logs and found these two entries in among the usual rubbish: Jul 10 18:...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-11-2005
|
|||
|
|||
Truncated firewall log entries.
I was just checking my firewall logs and found these two entries in among the usual rubbish: Jul 10 18:03:41 gateway kernel: IPTABLES-IN=eth1 OUT= MAC=00:c0:26:a5:02:46:00:0e:39:d1:58:8c:08:00 SRC=134.241.122.135 DST=82.7.13.76 LEN=196 TOS=0x00 PREC=0x00 TTL=108 ID=26954 PROTO=46 Jul 10 18:03:41 gateway kernel: IPTABLES-IN=eth1 OUT= MAC=00:c0:26:a5:02:46:00:0e:39:d1:58:8c:08:00 SRC=134.241.122.135 DST=82.7.13.76 LEN=180 TOS=0x00 PREC=0x00 TTL=105 ID=31095 PROTO=46 Normally, my firewall log entries have these additional fields: SPT=xxxx DPT=xxxx WINDOW=xxxx RES=0x00 [SYN|ACK|SYN/ACK|???] URGP=x I have never seen truncated entries like the above two. Can anyone tell me what they signify? I *did* find this by Googling: "What you are seeing is an artifact of running syslog unfortunately. There is no guarantee that you'll get all the connection attempts logged. Truncated log entries are somewhat common also." The only thing being that they are not common here! -- Rinso /\ / \ /wizz\ ~~~~~~~~~~~~ 
|
|
07-11-2005
|
|||
|
|||
|
Re: Truncated firewall log entries.
Rincewind wrote:
> I was just checking my firewall logs and found these two entries in among > the usual rubbish: > > Jul 10 18:03:41 gateway kernel: IPTABLES-IN=eth1 OUT= > MAC=00:c0:26:a5:02:46:00:0e:39:d1:58:8c:08:00 SRC=134.241.122.135 > DST=82.7.13.76 LEN=196 TOS=0x00 PREC=0x00 TTL=108 ID=26954 PROTO=46 > > Jul 10 18:03:41 gateway kernel: IPTABLES-IN=eth1 OUT= > MAC=00:c0:26:a5:02:46:00:0e:39:d1:58:8c:08:00 SRC=134.241.122.135 > DST=82.7.13.76 LEN=180 TOS=0x00 PREC=0x00 TTL=105 ID=31095 PROTO=46 > > Normally, my firewall log entries have these additional fields: > > SPT=xxxx DPT=xxxx WINDOW=xxxx RES=0x00 [SYN|ACK|SYN/ACK|???] URGP=x > > I have never seen truncated entries like the above two. Can anyone tell me > what they signify? I *did* find this by Googling: > > "What you are seeing is an artifact of running syslog unfortunately. > There is no guarantee that you'll get all the connection attempts > logged. Truncated log entries are somewhat common also." > > The only thing being that they are not common here! The entries are not truncated: iptables cannot dissect the protocol 46 any further - it's not TCP or UDP traffic and as such there are no ports to report. -- Tauno Voipio tauno voipio (at) iki fi
|
|
07-11-2005
|
|||
|
|||
|
Re: Truncated firewall log entries.
On Mon, 11 Jul 2005 20:19:04 +0000, Tauno Voipio mumbled something like
this: > Rincewind wrote: >> I was just checking my firewall logs and found these two entries in >> among the usual rubbish: >> >> Jul 10 18:03:41 gateway kernel: IPTABLES-IN=eth1 OUT= >> MAC=00:c0:26:a5:02:46:00:0e:39:d1:58:8c:08:00 SRC=134.241.122.135 >> DST=82.7.13.76 LEN=196 TOS=0x00 PREC=0x00 TTL=108 ID=26954 PROTO=46 <snip> > The entries are not truncated: iptables cannot dissect the protocol 46 any > further - it's not TCP or UDP traffic and as such there are no ports to > report. Ah, I see, thanks. I should have looked further. IP Protocol 46 - RSVP Which seems to be used by Windows 2000(and 2003 and XP?). I'm surprised I haven't seen it showing up before, though. -- Rinso /\ / \ /wizz\ ~~~~~~~~~~~~
|
|
07-15-2005
|
|||
|
|||
|
Re: Truncated firewall log entries.
Tauno Voipio wrote:
> Rincewind wrote: > >> I was just checking my firewall logs and found these two entries in among >> the usual rubbish: >> >> Jul 10 18:03:41 gateway kernel: IPTABLES-IN=eth1 OUT= >> MAC=00:c0:26:a5:02:46:00:0e:39:d1:58:8c:08:00 SRC=134.241.122.135 >> DST=82.7.13.76 LEN=196 TOS=0x00 PREC=0x00 TTL=108 ID=26954 PROTO=46 >> Jul 10 18:03:41 gateway kernel: IPTABLES-IN=eth1 OUT= >> MAC=00:c0:26:a5:02:46:00:0e:39:d1:58:8c:08:00 SRC=134.241.122.135 >> DST=82.7.13.76 LEN=180 TOS=0x00 PREC=0x00 TTL=105 ID=31095 PROTO=46 >>...... > > The entries are not truncated: iptables cannot dissect > the protocol 46 any further - it's not TCP or UDP traffic > and as such there are no ports to report. > From iana.org: mpm-snd 46/tcp MPM [default send] mpm-snd 46/udp MPM [default send] A+ -- Jean Claude Szkudlarek Le travail, c'est la santé ... (Henri Salvador)
|
|
07-16-2005
|
|||
|
|||
|
Re: Truncated firewall log entries.
scud wrote:
> Tauno Voipio wrote: > >> Rincewind wrote: >> >>> I was just checking my firewall logs and found these two entries in >>> among >>> the usual rubbish: >>> >>> Jul 10 18:03:41 gateway kernel: IPTABLES-IN=eth1 OUT= >>> MAC=00:c0:26:a5:02:46:00:0e:39:d1:58:8c:08:00 SRC=134.241.122.135 >>> DST=82.7.13.76 LEN=196 TOS=0x00 PREC=0x00 TTL=108 ID=26954 PROTO=46 >>> Jul 10 18:03:41 gateway kernel: IPTABLES-IN=eth1 OUT= >>> MAC=00:c0:26:a5:02:46:00:0e:39:d1:58:8c:08:00 SRC=134.241.122.135 >>> DST=82.7.13.76 LEN=180 TOS=0x00 PREC=0x00 TTL=105 ID=31095 PROTO=46 >>> ...... >> >> >> The entries are not truncated: iptables cannot dissect >> the protocol 46 any further - it's not TCP or UDP traffic >> and as such there are no ports to report. >> > From iana.org: > > mpm-snd 46/tcp MPM [default send] > mpm-snd 46/udp MPM [default send] > > A+ The dump says protocol 46 (which do not have any ports) ! TCP is protocol 6 and UDP is protocol 17.
|
Linear Mode
