From: Snow, Tim (timothy.snow@eds.com)
Date: Wed Oct 01 2003 - 05:46:47 GMT-3
Do you have a deny UDP any any ? If so, It may not show you the exact port.
If for example you did "access-list 101 deny tcp any any eq telnet" I
believe you may see a (23) in your ACL output?
You could always try "access-list 101 permit udp any any range 0 65535" and
that should show the port numbers in the output..
Sound right?
Tim
#12042
-----Original Message-----
From: Donny MATEO [mailto:donny.mateo@sg.ca-indosuez.com]
Sent: Wednesday, October 01, 2003 4:03 AM
To: ccielab@groupstudy.com
Subject: Access list Log interpretation.
Hi Guys,
I have a silly question. How do you digest the output of the Access-list
log ? Specially those number behind the bracket just after the IP address.
I always regards them as port number. But if this is true, the entry below
means the connection is initiated from source port 0 and destined to port
0, which is a bit strange. Since as to my limited knowledge (read dumb), I
remember port 0 as being a reserved port. And this kind of activity are
usually associated to fingerprinting attack. Does this still appy.. ?
Sep 30 15:53:34 SG: %SEC-6-IPACCESSLOGP: list eightfloorACL_IN denied udp
10.129.7.34(0) -> 10.129.7.63(0), 3 packets
Sep 30 15:53:34 SG: %SEC-6-IPACCESSLOGDP: list eightfloorACL_IN denied
icmp 10.129.7.34 -> 10.126.209.106 (0/0), 4 packets
Sep 30 15:58:14 SG: %SEC-6-IPACCESSLOGP: list eightfloorACL_IN denied tcp
10.129.7.35(0) -> 10.126.131.20(0), 1 packet
Donny
This message is for information purposes only and its content
should not be construed as an offer, or solicitation of an offer, to buy or
sell any banking or financial instruments or services and no representation
or warranty is given in respect of its accuracy, completeness or fairness.
The material is subject to change without notice. You should take your own
independent tax, legal and other professional advice in respect of the
content of this message. This message may contain confidential or legally
privileged material and may not be copied, redistributed or published (in
whole or in part) without our prior written consent. This email may have
been intercepted, partially destroyed, arrive late, incomplete or contain
viruses and no liability is accepted by any member of the Credit Agricole
Indosuez group as a result. If you are not the intended recipient of this
message, please immediately notify the sender and delete this message from
your computer.
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:54 GMT-3