[NBLUG/talk] SuSEFirewall2 How to read the log file?

Micxz (lovedialup.com) an_email at micxz.com
Fri Jul 11 10:39:00 PDT 2003


> Micxz (lovedialup.com) wrote:
> > I'm looking at my messages log and and am a bit lost in it's output:
> > Jul 10 21:27:40 mars kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC=
> > SRC=200.52.172.13 DST=66.xxx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=110
> > ID=9313 DF PROTO=TCP SPT=2716 DPT=2723 WINDOW=16384 RES=0x00 SYN
> > URGP=0 OPT (0204056401010402)
> [...]
> > Can you guys help me is the way to read the rest of the info? And are
> > there some theories on why random PC's are trying to connect to our
> > linux boxes? (usually three packets at a time.)
> 
> i usually look at the 'DPT' (destination port) so i can get an idea of
> what this machine is looking for on my machine.
> 
> http://www.iana.org/assignments/port-numbers
> 
> "watchdognt   2723/tcp   WatchDog NT"
> 
> from the information you gave i would assume they are looking for the
> watchdog nt service on your machine. maybe there is some specific
> vulnerability they are looking for, or maybe it is just someone on the
> other end who doesn't know what they are doing, and it is an errant packet.
> 
> augie.

What's a errant packet? How do you think these packets get there? There
is the possibility someone's looking for a vulnerability like you say. I
get allot form over-seas. Connections on Microsoft-ds ports for example
etc. I'm thinking it's infected windows computers maybe sending out this
stuff. Were do you think most of the packets come from?

Micxz



More information about the talk mailing list