Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I recently reviewed my Snort Log and saw an amazing 78 page long log of basically the same thing over and over. Now if someone can tell me what is causing this, that would be great or just tell how to get Snort to ignore the particular host(my cable modem).
The cable modem is for some reason holding an IP which is obviously a private class A which for the life of me I can't seem to port scan or find out what it's doing. The cable modem is 10.96.216.1. I have no idea what 172.16.1.33 is, all I know is it's private.
--tarballedtux
Last edited by tarballedtux; 10-09-2002 at 08:57 PM.
In snort.conf:
If you for instance have "var HOME_NET [68.81.38.0/24]" (public interface address, .237/32 or .0/24), add "include <snort custom rules dir>/pass.rules". In <snort custom rules dir>/pass.rules: pass icmp $HOME_NET any -> any any (msg:"ICMP Destination Unreachable (Communication Administratively Prohibited)"; itype: 3; icode: 13
should do it, else just substitute the HOME-NET in the rule for the IP address of the public interface. You could also try BPF filtering.
If you tcpdump a "conversation" between you and these hosts it's easier to determine why 3/13's are sent. IIRC 3/13's are sent when access is denied to an UDP port (type 3) because it's being filtered (code 13). Kinda like when access is denied (type 3) to an UDP port cuz it ain't open (code 3).
Sorry that was a little confusing unSpawn. My HOMENET is 192.168.0.0/24 The 68.81.x.x is public IP. Thats was my mistake for not editing it in the first place, but could just remove that from your previous post. ANyway I'm completeint gconfused about the IPs that are showing up in my logs. Here's my topology:
If I read the ascii dump correctly it says "10.96.216.1 warn 192.168.0.25, sending UDP to 172.16.1.33 over eth1 is denied/filtered". This looks to me like you're not blocking traffic to the Class B address range on the Linux router/NAT fw, else it couldn't even reach 10.96.216.1.
So for some reason unknown, a box behind my firewall or maybe the firewall itself is trying to send to a 172.x.x.x address? Hmm, I guess I should just block all private addresses. 10.x.x.x 172.x.x.x, atleast I will allow the one cable modem IP.
Aw cummon dude, you're the one with the CCNA training :-] Provided your ISP does it's part in egress filtering, ok then it prolly stops at the next hop, but if not/or anyway how does *your* network know not to accept in/outbound private ranges then if you don't filter for 'em?
Btw do you run snort in binary mode and with tcpdump logs, or ASCII only? If you log all traffic it should be fairly easy to load the dump into ethereal and look for uh, periodicity, and addresses then run a dump on the host, or attach a BPF filter to a tcpdump to finetune something like "dest host 172.16.1.33" or "src host <IP address> and dest host 172.16.1.33"...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.