| View previous topic :: View next topic |
| Author |
Message |
maxima
Apprentice
Joined: 01 Oct 2004
Posts: 150
|
 Posted: Tue Nov 01, 2005 11:30 am Post subject: what is this thing filling up my log? |
 |
|
| Code: | Nov 1 22:26:08 debussy Shorewall:net2all:DROP: IN=eth0 OUT= MAC=00:50:8d:f5:63:0b:00:09:f3:08:cc:86:08:00 SRC=0.0.0.0 DST=0.0.0.0 LEN=52 TOS=00 PREC=0x00 TTL=32 ID=63078 CE PROTO=UDP SPT=17185 DPT=0 LEN=32
Nov 1 22:26:20 debussy Shorewall:net2all:DROP: IN=eth0 OUT= MAC=00:50:8d:f5:63:0b:00:09:f3:08:cc:86:08:00 SRC=0.0.0.0 DST=0.0.0.0 LEN=52 TOS=00 PREC=0x00 TTL=32 ID=64102 CE PROTO=UDP SPT=17185 DPT=0 LEN=32
Nov 1 22:26:33 debussy Shorewall:net2all:DROP: IN=eth0 OUT= MAC=00:50:8d:f5:63:0b:00:09:f3:08:cc:86:08:00 SRC=0.0.0.0 DST=0.0.0.0 LEN=52 TOS=00 PREC=0x00 TTL=32 ID=65126 CE PROTO=UDP SPT=17185 DPT=0 LEN=32
Nov 1 22:26:45 debussy Shorewall:net2all:DROP: IN=eth0 OUT= MAC=00:50:8d:f5:63:0b:00:09:f3:08:cc:86:08:00 SRC=0.0.0.0 DST=0.0.0.0 LEN=52 TOS=00 PREC=0x00 TTL=32 ID=615 PROTO=UDP SPT=17185 DPT=0 LEN=32 |
anyone know where does it come from? I get this every 12 secs |
|
| Back to top |
|
 |
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Tue Nov 01, 2005 12:15 pm Post subject: |
|
|
It's output from the firewall (you're using Shorewall). Looks like it's logging an UDP port scan.
I personally consider it utterly pointless to log attacks. That they happen is a given, the logs are almost always useless since the source IPs are spoofed or belong to infected Windows zombie machines, and all this logging does is place load on the system and fill up disk space.
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin |
|
| Back to top |
|
|
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Tue Nov 01, 2005 12:38 pm Post subject: |
|
|
| moocha wrote: | It's output from the firewall (you're using Shorewall). Looks like it's logging an UDP port scan.
I personally consider it utterly pointless to log attacks. That they happen is a given, the logs are almost always useless since the source IPs are spoofed or belong to infected Windows zombie machines, and all this logging does is place load on the system and fill up disk space. |
Just set limits to the ammount of matches and rotate your log files sufficiently - else you'll have no logs when you really need them
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
moocha
Watchman
Joined: 21 Oct 2003
Posts: 5722
|
| Posted: Tue Nov 01, 2005 1:07 pm Post subject: |
|
|
I'm aware that can be done, but in 8 years I have still to come across a single instance where firewall output was actually useful against attacks, since it's rarely if ever admissible or non-challengeable as evidence in court, and more often than not points towards NICs belonging to people that aren't at fault. And I hate to fill up even 10 bytes with stuff I won't ever need.
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto
"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin |
|
| Back to top |
|
|
maxima
Apprentice
Joined: 01 Oct 2004
Posts: 150
|
| Posted: Wed Nov 02, 2005 11:21 am Post subject: |
|
|
hmm who is trying to attack me? my computer is behind router and there are 2 other computers (1 mac & 1 windows) on my local network.
And I still got those messages when these 2 computers are turned off.
MrUlterior, how do I limit the amount of matches?
btw I know where that 12 secs came from, it's the LOGRATE. I set it up to 5/minutes so I have one log every 12 secs. |
|
| Back to top |
|
|
|
Networking & Security
