From: Donny MATEO (donny.mateo@sg.ca-indosuez.com)
Date: Wed Oct 01 2003 - 05:58:13 GMT-3
Nope I don't have any udp deny. but I do have deny ip any any log.
If you look closely both sample has udp and tcp. I'm just confused with
the inconsistency. because on the same router (MSFC of 6509) I can see the
following output
Sep 29 17:00:47 SG: %SEC-6-IPACCESSLOGP: list abc denied udp
10.129.88.139(53) -> 10.129.9.210(32853), 1 packet
This is clearly a reply from a DNS server for client DNS query (judging
from the port 53 replying to the so called ephemeral (>1024) ports.
Both Access-list incorporate the statement deny ip any any log.
Based on that I assume the one on my first mail indicates packet from
sourceport 0 and destined to port 0, which according to some security
note, could be considered as a fingerprinting attack.
Can anyone confirm to this interpretation ?
Donny
#11189
"Snow, Tim" <timothy.snow@eds.com>
10/01/2003 04:46 PM
To: "'Donny MATEO'" <donny.mateo@sg.ca-indosuez.com>
cc: "'ccielab@groupstudy.com'" <ccielab@groupstudy.com>
Subject: RE: Access list Log interpretation.
Do you have a deny UDP any any ? If so, It may not show you the exact
port.
If for example you did "access-list 101 deny tcp any any eq telnet" I
believe you may see a (23) in your ACL output?
You could always try "access-list 101 permit udp any any range 0 65535"
and
that should show the port numbers in the output..
Sound right?
Tim
#12042
-----Original Message-----
From: Donny MATEO [mailto:donny.mateo@sg.ca-indosuez.com]
Sent: Wednesday, October 01, 2003 4:03 AM
To: ccielab@groupstudy.com
Subject: Access list Log interpretation.
Hi Guys,
I have a silly question. How do you digest the output of the Access-list
log ? Specially those number behind the bracket just after the IP address.
I always regards them as port number. But if this is true, the entry below
means the connection is initiated from source port 0 and destined to port
0, which is a bit strange. Since as to my limited knowledge (read dumb), I
remember port 0 as being a reserved port. And this kind of activity are
usually associated to fingerprinting attack. Does this still appy.. ?
Sep 30 15:53:34 SG: %SEC-6-IPACCESSLOGP: list eightfloorACL_IN denied udp
10.129.7.34(0) -> 10.129.7.63(0), 3 packets
Sep 30 15:53:34 SG: %SEC-6-IPACCESSLOGDP: list eightfloorACL_IN denied
icmp 10.129.7.34 -> 10.126.209.106 (0/0), 4 packets
Sep 30 15:58:14 SG: %SEC-6-IPACCESSLOGP: list eightfloorACL_IN denied tcp
10.129.7.35(0) -> 10.126.131.20(0), 1 packet
Donny
This message is for information purposes only and its content
should not be construed as an offer, or solicitation of an offer, to buy
or
sell any banking or financial instruments or services and no
representation
or warranty is given in respect of its accuracy, completeness or fairness.
The material is subject to change without notice. You should take your own
independent tax, legal and other professional advice in respect of the
content of this message. This message may contain confidential or legally
privileged material and may not be copied, redistributed or published (in
whole or in part) without our prior written consent. This email may have
been intercepted, partially destroyed, arrive late, incomplete or contain
viruses and no liability is accepted by any member of the Credit Agricole
Indosuez group as a result. If you are not the intended recipient of this
message, please immediately notify the sender and delete this message from
your computer.
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:54 GMT-3