* RE: Source and Destination port 0
@ 2003-07-15 19:36 Daniel Chemko
2003-07-15 19:51 ` Ramin Dousti
0 siblings, 1 reply; 6+ messages in thread
From: Daniel Chemko @ 2003-07-15 19:36 UTC (permalink / raw)
To: Geffrey Velasquez, Ramin Dousti; +Cc: netfilter
How about the fact that these packets are for T/TCP aka Transactional
TCP, not regular TCP!
-----Original Message-----
From: Geffrey Velasquez [mailto:g_netfilter@netfids.com]
Sent: Tuesday, July 15, 2003 12:16 PM
To: Ramin Dousti
Cc: netfilter@lists.netfilter.org
Subject: Re[2]: Source and Destination port 0
More detail:
RD> If the FORWARD chain is not blocking these faulty packets it might
mean
RD> that the packets are being generated on the firewall itself.
Maybe, but in this suposed case, my firewall had to be compromised,
It has installed tripwire and.. I don't see signs of intrussion.
RD> Try to block
RD> them on the OUTPUT chain as well and see what happens.
I put the rules also in the OUTPUT chain, and I still continue getting
the packets
RD> The next step would
RD> be to figure out why you get them.
Its a sample of the snort logs, the destination IP is an internal
NATed IP address, maybe source IP is spoffed:
[**] [116:56:1] (snort_decoder): T/TCP Detected [**]
07/15-13:46:24.988459 216.136.173.130:0 -> . . . :0
TCP TTL:52 TOS:0x0 ID:59827 IpLen:20 DgmLen:68 DF
******S* Seq: 0x65FF5C67 Ack: 0x0 Win: 0xFFFF TcpLen: 48
[**] [116:56:1] (snort_decoder): T/TCP Detected [**]
07/15-13:47:20.446750 66.163.169.17:0 -> . . . :0
TCP TTL:51 TOS:0x0 ID:32453 IpLen:20 DgmLen:68 DF
******S* Seq: 0xFE485E60 Ack: 0x0 Win: 0xFFFF TcpLen: 48
I will continue investigating, but someone could give me
recommendations?
Regards,
Geffrey
RD> Ramin
RD> On Tue, Jul 15, 2003 at 12:16:44PM -0500, Geffrey Velasquez wrote:
>> Hello Friends,
>>
>> I have in my IDS logs packets comming from outside to DMZ servers
with
>> source port 0 and destination port 0.
>>
>> The IDS is located in the DMZ network, and I have an iptables
>> firewall, kernel-2.4.18-26.1.99_kb2c.1foo over RH 8 (that is the
>> kernel with superfreeswan patches).
>>
>> I tried with this couple of rules on top of FORWARD chain:
>>
>> $IPT -A FORWARD -p tcp --sport 0 -j LOG --log-prefix "Zero: "
>> $IPT -A FORWARD -p tcp --sport 0 -j DROP
>>
>> also:
>>
>> $IPT -A FORWARD -p tcp --sport 0 --dport 0 -j LOG --log-prefix "Cero:
"
>> $IPT -A FORWARD -p tcp --sport 0 --dport 0 -j DROP
>>
>> After that I continue viewing the bad packets on IDS, how could I
>> filter this kind of packets?
>>
>>
>> --
>> Best regards,
>> Geffrey mailto:g_netfilter@netfids.com
>>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Source and Destination port 0
2003-07-15 19:36 Source and Destination port 0 Daniel Chemko
@ 2003-07-15 19:51 ` Ramin Dousti
2003-07-15 20:04 ` Re[2]: " Geffrey Velasquez
0 siblings, 1 reply; 6+ messages in thread
From: Ramin Dousti @ 2003-07-15 19:51 UTC (permalink / raw)
To: Daniel Chemko; +Cc: Geffrey Velasquez, netfilter
On Tue, Jul 15, 2003 at 12:36:16PM -0700, Daniel Chemko wrote:
>
> How about the fact that these packets are for T/TCP aka Transactional
> TCP, not regular TCP!
Yes. There must be something about T/TCP packets that prevents it
from being matched by a regular "-p tcp" option. I don't know much about
T/TCP but reading rfc1644 might help at least block them on the firewall.
Ramin
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re[2]: Source and Destination port 0
2003-07-15 19:51 ` Ramin Dousti
@ 2003-07-15 20:04 ` Geffrey Velasquez
0 siblings, 0 replies; 6+ messages in thread
From: Geffrey Velasquez @ 2003-07-15 20:04 UTC (permalink / raw)
To: Ramin Dousti; +Cc: Daniel Chemko, netfilter
Hello Ramin and Daniel, thank you for the information, I will read the
RFC then I will try to block on the firewall, I will be giving more
information to the list.
Regards,
Geffrey
RD> On Tue, Jul 15, 2003 at 12:36:16PM -0700, Daniel Chemko wrote:
>>
>> How about the fact that these packets are for T/TCP aka Transactional
>> TCP, not regular TCP!
RD> Yes. There must be something about T/TCP packets that prevents it
RD> from being matched by a regular "-p tcp" option. I don't know much about
RD> T/TCP but reading rfc1644 might help at least block them on the firewall.
RD> Ramin
--
Best regards,
Geffrey mailto:g_netfilter@netfids.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Source and Destination port 0
2003-07-15 19:16 ` Re[2]: " Geffrey Velasquez
@ 2003-07-15 19:29 ` Ramin Dousti
0 siblings, 0 replies; 6+ messages in thread
From: Ramin Dousti @ 2003-07-15 19:29 UTC (permalink / raw)
To: Geffrey Velasquez; +Cc: netfilter
On Tue, Jul 15, 2003 at 02:16:08PM -0500, Geffrey Velasquez wrote:
> I will continue investigating, but someone could give me
> recommendations?
http://archives.neohapsis.com/archives/incidents/2003-04/0141.html
>
>
> Regards,
> Geffrey
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Source and Destination port 0
2003-07-15 17:16 Geffrey Velasquez
@ 2003-07-15 17:57 ` Ramin Dousti
2003-07-15 19:16 ` Re[2]: " Geffrey Velasquez
0 siblings, 1 reply; 6+ messages in thread
From: Ramin Dousti @ 2003-07-15 17:57 UTC (permalink / raw)
To: Geffrey Velasquez; +Cc: netfilter
If the FORWARD chain is not blocking these faulty packets it might mean
that the packets are being generated on the firewall itself. Try to block
them on the OUTPUT chain as well and see what happens. The next step would
be to figure out why you get them. What is the src and dst of the packets?
Anything meaningful?
Ramin
On Tue, Jul 15, 2003 at 12:16:44PM -0500, Geffrey Velasquez wrote:
> Hello Friends,
>
> I have in my IDS logs packets comming from outside to DMZ servers with
> source port 0 and destination port 0.
>
> The IDS is located in the DMZ network, and I have an iptables
> firewall, kernel-2.4.18-26.1.99_kb2c.1foo over RH 8 (that is the
> kernel with superfreeswan patches).
>
> I tried with this couple of rules on top of FORWARD chain:
>
> $IPT -A FORWARD -p tcp --sport 0 -j LOG --log-prefix "Zero: "
> $IPT -A FORWARD -p tcp --sport 0 -j DROP
>
> also:
>
> $IPT -A FORWARD -p tcp --sport 0 --dport 0 -j LOG --log-prefix "Cero: "
> $IPT -A FORWARD -p tcp --sport 0 --dport 0 -j DROP
>
> After that I continue viewing the bad packets on IDS, how could I
> filter this kind of packets?
>
>
> --
> Best regards,
> Geffrey mailto:g_netfilter@netfids.com
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Source and Destination port 0
@ 2003-07-15 17:16 Geffrey Velasquez
2003-07-15 17:57 ` Ramin Dousti
0 siblings, 1 reply; 6+ messages in thread
From: Geffrey Velasquez @ 2003-07-15 17:16 UTC (permalink / raw)
To: netfilter
Hello Friends,
I have in my IDS logs packets comming from outside to DMZ servers with
source port 0 and destination port 0.
The IDS is located in the DMZ network, and I have an iptables
firewall, kernel-2.4.18-26.1.99_kb2c.1foo over RH 8 (that is the
kernel with superfreeswan patches).
I tried with this couple of rules on top of FORWARD chain:
$IPT -A FORWARD -p tcp --sport 0 -j LOG --log-prefix "Zero: "
$IPT -A FORWARD -p tcp --sport 0 -j DROP
also:
$IPT -A FORWARD -p tcp --sport 0 --dport 0 -j LOG --log-prefix "Cero: "
$IPT -A FORWARD -p tcp --sport 0 --dport 0 -j DROP
After that I continue viewing the bad packets on IDS, how could I
filter this kind of packets?
--
Best regards,
Geffrey mailto:g_netfilter@netfids.com
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-07-15 20:04 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-15 19:36 Source and Destination port 0 Daniel Chemko
2003-07-15 19:51 ` Ramin Dousti
2003-07-15 20:04 ` Re[2]: " Geffrey Velasquez
-- strict thread matches above, loose matches on Subject: below --
2003-07-15 17:16 Geffrey Velasquez
2003-07-15 17:57 ` Ramin Dousti
2003-07-15 19:16 ` Re[2]: " Geffrey Velasquez
2003-07-15 19:29 ` Ramin Dousti
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.