System log

simke · 09-13-2004, 02:49 AM

G'day. I need help to understand the following activities log. Would appreciate if someone will kindly explain their meanings. Thanks.

Sep 13 09:01:52 localhost kernel: Firewalled:IN=eth1 OUT= MAC= SRC=192.168.1.4 D ST=192.168.1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=31 DF PROTO=UDP SPT=138 DP T=138 LEN=221
Sep 13 09:01:52 localhost kernel: Firewalled:IN=eth1 OUT= MAC= SRC=192.168.1.4 D ST=192.168.1.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=32 DF PROTO=UDP SPT=138 DP T=138 LEN=214
Sep 13 09:13:47 localhost kernel: Firewalled:IN=eth1 OUT= MAC= SRC=192.168.1.4 D ST=192.168.1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=33 DF PROTO=UDP SPT=138 DP T=138 LEN=221
Sep 13 09:13:47 localhost kernel: Firewalled:IN=eth1 OUT= MAC= SRC=192.168.1.4 D ST=192.168.1.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=34 DF PROTO=UDP SPT=138 DP T=138 LEN=214
Sep 13 09:17:11 localhost kernel: Firewalled:IN=eth1 OUT= MAC=00:0d:88:19:ee:4a: 00:d0:d0:46:2d:85:08:00 SRC=64.94.110.12 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x 00 TTL=46 ID=46678 DF PROTO=TCP SPT=80 DPT=50318 WINDOW=7504 RES=0x00 ACK FIN UR GP=0
Sep 13 09:17:12 localhost kernel: Firewalled:IN=eth1 OUT= MAC=00:0d:88:19:ee:4a: 00:d0:d0:46:2d:85:08:00 SRC=64.94.110.12 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x 00 TTL=46 ID=46679 DF PROTO=TCP SPT=80 DPT=50318 WINDOW=7504 RES=0x00 ACK FIN UR GP=0
Sep 13 09:17:13 localhost kernel: Firewalled:IN=eth1 OUT= MAC=00:0d:88:19:ee:4a: 00:d0:d0:46:2d:85:08:00 SRC=64.94.110.12 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x 00 TTL=46 ID=46680 DF PROTO=TCP SPT=80 DPT=50318 WINDOW=7504 RES=0x00 ACK FIN UR GP=0
Sep 13 09:17:15 localhost kernel: Firewalled:IN=eth1 OUT= MAC=00:0d:88:19:ee:4a: 00:d0:d0:46:2d:85:08:00 SRC=64.94.110.12 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x 00 TTL=46 ID=46681 DF PROTO=TCP SPT=80 DPT=50318 WINDOW=7504 RES=0x00 ACK FIN UR GP=0
Sep 13 09:17:20 localhost kernel: Firewalled:IN=eth1 OUT= MAC=00:0d:88:19:ee:4a: 00:d0:d0:46:2d:85:08:00 SRC=64.94.110.12 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x 00 TTL=46 ID=46682 DF PROTO=TCP SPT=80 DPT=50318 WINDOW=7504 RES=0x00 ACK FIN UR GP=0
Sep 13 09:17:30 localhost kernel: Firewalled:IN=eth1 OUT= MAC=00:0d:88:19:ee:4a: 00:d0:d0:46:2d:85:08:00 SRC=64.94.110.12 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x 00 TTL=46 ID=46683 DF PROTO=TCP SPT=80 DPT=50318 WINDOW=7504 RES=0x00 ACK FIN UR GP=0
Sep 13 09:17:51 localhost kernel: Firewalled:IN=eth1 OUT= MAC=00:0d:88:19:ee:4a: 00:d0:d0:46:2d:85:08:00 SRC=64.94.110.12 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x 00 TTL=46 ID=46684 DF PROTO=TCP SPT=80 DPT=50318 WINDOW=7504 RES=0x00 ACK FIN UR GP=0
Sep 13 09:18:31 localhost kernel: Firewalled:IN=eth1 OUT= MAC=00:0d:88:19:ee:4a: 00:d0:d0:46:2d:85:08:00 SRC=64.94.110.12 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x 00 TTL=46 ID=46685 DF PROTO=TCP SPT=80 DPT=50318 WINDOW=7504 RES=0x00 ACK FIN UR GP=0
Sep 13 09:26:00 localhost kernel: Firewalled:IN=eth1 OUT= MAC= SRC=192.168.1.4 D ST=192.168.1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=35 DF PROTO=UDP SPT=138 DP T=138 LEN=221
Sep 13 09:26:00 localhost kernel: Firewalled:IN=eth1 OUT= MAC= SRC=192.168.1.4 D ST=192.168.1.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=36 DF PROTO=UDP SPT=138 DP T=138 LEN=214

r0b0 · 09-13-2004, 08:22 AM

These are logs from your firewall. Each entry contains information about one packet that was logged and most probably rejected by the firewall. Field by field explanation of important fields:
IN: ethernet device via which the packet has arrived
SRC: IP address of the computer which sent this packet
DST: destination IP address of the packet (e.g. your IP address most probably)
PROTO: protocol (TCP/UDP/ICMP...)
SPT: source port (in TCP and UDP packets)
DPT: destination port e.g. port number on your computer

simke · 09-13-2004, 08:36 PM

Thank you for the info, r0b0. In this case, SRC=192.168.1.4 is not one of my internal ip addresses. Does it mean that someone out there is trying to access my SMB services? eth1 is my outside ethernet device (ADSL). Thank you.

scottman · 09-13-2004, 09:58 PM

Quote:

Sep 13 09:01:52 localhost kernel: Firewalled:IN=eth1 OUT= MAC= SRC=192.168.1.4 D ST=192.168.1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=31 DF PROTO=UDP SPT=138 DP T=138 LEN=221

This seems to be a NetBios broadcast. I think it's either a windows PC of some sort,
or a router/server requesting information from PC's on the network.

I seriously doubt it's any kind of attack, the source IP is an IP address that is
reserved for non-internet use.

Quote:

Sep 13 09:17:11 localhost kernel: Firewalled:IN=eth1 OUT= MAC=00:0d:88:19:ee:4a: 00:d0:d0:46:2d:85:08:00 SRC=64.94.110.12 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x 00 TTL=46 ID=46678 DF PROTO=TCP SPT=80 DPT=50318 WINDOW=7504 RES=0x00 ACK FIN UR GP=0

These originated from a web server. The ACK FIN flags is the server responding to a FIN flag sent from
192.168.1.4. This is done in order to close a connection that has been established. Since it's coming
in on the same ports, with the same flags, it probably isnt an attack either.

You may have a slight firewall misconfiguration, and a router or modem with an IP your not aware of.

simke · 09-13-2004, 10:24 PM

Thank you Scottman. Now I get it.

Regards,
Sim.